More NewsGuess Settles FTC Complaint

Guess Settles FTC Complaint

Agency claims clothing retailer exposed consumers' credit card numbers to hackers after touting security of online information.

Clothing retailer Guess, Inc., has agreed to settle Federal Trade Commission (FTC) charges that it exposed consumers’ personal information, including credit card numbers, to computer hackers, contrary to the company’s claims. Guess’ online statements reassured consumers that their personal information would be secure and protected.

The Guess settlement prohibits the company from misrepresenting the extent to which it maintains and protects the security of personal information collected from or about consumers. It also requires that Guess establish and maintain a comprehensive information security program.

In addition, Guess must have its security program certified as meeting or exceeding the standards in the consent order by an independent professional within a year, and every other year thereafter.

The Guess consent decree is for settlement purposes only and does not constitution an admission of guilt. When the FTC issues a consent order on a final basis, the carries the force of law and any future violation of the order may result in a civil penalty up to $11,000.

“Consumers have every right to expect that a business that says it’s keeping personal information secure is doing exactly that,” said Howard Beales, director of the FTC’s Bureau of Consumer Protection. “It’s not just good business, it’s the law.”

Guess has sold Guess-brand clothing and accessories online at guess.com since 1998. According to the FTC complaint, since at least October 2000, Guess’ Web site has been vulnerable to commonly known attacks such as Structured Query Language (SQL) injection attacks and other Web-based application attacks.

Guess’ online statements told consumers that their personal information would be secure and protected. The company’s claims included, “This site has security measures in place to protect the loss, misuse, and alteration of information under our control.” The company also claimed, “All of your personal information, including your credit card information and sign-in password, are stored in an unreadable, encrypted format at all times.”

In fact, according to the FTC, the personal information was not stored in an unreadable, encrypted format at all times and Guess’ security measures failed to protect against SQL and other commonly known attacks. The FTC said that in February 2002, a visitor to the Web site, using an SQL injection attack, was able to read in clear text credit card numbers stored in Guess’ databases.

Related Articles

GDPR: The role of technology in data compliance

Data & Analytics GDPR: The role of technology in data compliance

3w Clark Boyd
What companies can learn from the We-Vibe lawsuit about the Internet of Things

Legal & Regulatory What companies can learn from the We-Vibe lawsuit about the Internet of Things

8m Al Roberts
Has advertising arrived on Google Home?

Media Has advertising arrived on Google Home?

8m Al Roberts
Is Twitter slowly dying?

More News Is Twitter slowly dying?

9m Al Roberts
FedEx launches fulfillment service to take on Amazon

Ecommerce FedEx launches fulfillment service to take on Amazon

9m Al Roberts
Target is the top retail digital marketer, so why is it struggling?

Ecommerce Target is the top retail digital marketer, so why is it struggling?

8m Al Roberts
YouTube is "on pace to eclipse TV" thanks to savvy algorithm use

More News YouTube is "on pace to eclipse TV" thanks to savvy algorithm use

9m Al Roberts
YouTube is getting rid of 30-second unskippable pre-roll ads

Ad Industry Metrics YouTube is getting rid of 30-second unskippable pre-roll ads

9m Al Roberts