Tower Records will repair a defect in its Web site that let users view personal information about other customers, the Federal Trade Commission said yesterday.
Users were able to access customer order histories, names, billing, shipping and e-mail addresses and phone numbers on TowerRecords.com. The problem arose after Tower redesigned the site and introduced the flaw, the FTC said.
Consumers who purchased from the site received a confirmation e-mail informing them that they could check the status of their order by entering their order number, according to the FTC. However, users discovered that anyone could enter any order number, even if they had not placed the order themselves, and look at the status of other users' orders and their personal information. The flaw was posted in Internet bulletin boards and chat rooms, and 5,000 people had their personal information exposed, the FTC said.
The Web site's privacy policy stated that Tower Records used “state-of-the-art technology” to secure personal information and that password protection prevented access to the information without authorization, according to the FTC.
The FTC charged Tower Records with making false privacy assurances. To settle the complaint, Tower must establish a comprehensive information security program and submit it to an audit by an independent security professional within six months, repeating the audit every other year for 10 years.
