Petco Bit by FTC Over Website

When you post your website privacy policies, you better abide by them.

That lesson was learned anew when the Federal Trade Commission and Petco Animal Supplies, Inc. entered into a consent decree over charges that Petco violated its posted privacy policy. Petco sells pet and food supplies to customers at www.PETCO.com.

On the website, the company claimed: “At PETCO.com, protecting your information is our number one priority, and your personal information is strictly shielded from unauthorized access. Entering your credit card number via our secure server is completely safe. The server encrypts all of your information; no one except you can access it.”

Unfortunately for Petco, the FTC alleged that the site was vulnerable to SQL injection attacks. The FTC said Petco created the vulnerabilities by failing to implement reasonable and appropriate security measures to secure and protect sensitive consumer information, including simple, readily available defenses that would have blocked such attacks. The FTC further alleged that the information was not maintained in an encrypted format as claimed. A hacker was able to get into the site and access credit card numbers stored in unencrypted clear text. The FTC said Petco’s privacy policy was deceptive and violated the FTC Act. Under the consent degree, Petco is prohibited from misrepresenting the extent to which it maintains and protects customer sensitive information. The FTC accepted the consent decree on November 17, 2004.