, operator of, and its parent, Genica Corporation, agreed to settle FTC charges that the companies failed to provide reasonable security to protect sensitive customer data. Allegedly, sensitive information collected by the respondents from consumers (including first and last name; address; e-mail address; telephone number; and credit card number, expiration date, and security code) was accessed by hackers.  

The respondents were charged with routinely storing consumers’ sensitive information in unencrypted text on their corporate computer network and not adequately assessing whether their Web application and network were vulnerable to commonly known or reasonably foreseeable attacks.  

The respondents also did not implement simple, readily available defenses to these attacks. The FTC claimed that hackers repeatedly exploited these vulnerabilities by using SQL injection attacks on  

The proposed settlement bars the respondents from making deceptive privacy and data security claims and requires them to implement and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. It also imposes audit requirements.