Tower Records Agrees to Fix Privacy Flaw
Users were able to access customer order histories, names, billing, shipping and e-mail addresses and phone numbers on TowerRecords.com. The problem arose after Tower redesigned the site and introduced the flaw, the FTC said.
Consumers who purchased from the site received a confirmation e-mail informing them that they could check the status of their order by entering their order number, according to the FTC. However, users discovered that anyone could enter any order number, even if they had not placed the order themselves, and look at the status of other users' orders and their personal information. The flaw was posted in Internet bulletin boards and chat rooms, and 5,000 people had their personal information exposed, the FTC said.
The FTC charged Tower Records with making false privacy assurances. To settle the complaint, Tower must establish a comprehensive information security program and submit it to an audit by an independent security professional within six months, repeating the audit every other year for 10 years.