RealTime IT News

Barnes & Noble.com Fined for Customer Data Leak

New York-based online bookseller Barnes & Noble.com has been slapped with a $60,000 fine after a flaw exposed sensitive customer data on its Web site.

As part of a settlement with New York State attorney General Eliot Spitzer, Barnes & Noble.com will pay the fine and establish an information security program to protect personal information collected during e-commerce operations.

The book retailer has also agreed to establish management oversight and employee training programs and hire an external auditor to monitor compliance with the security program.

Exposure of sensitive customer data is a recurring problem faced by e-commerce firms. Malicious attackers are a constant threat and design flaws to e-commerce software are always a risk.

In fact, it was a design flaw in Barnes & Noble.com's Web site that led to the exposure of sensitive customer information, including names, billing addresses and account information. In this case, Spitzer's office said credit card numbers were not divulged.

During an investigation, the New York attorney general said the design vulnerability "permitted unauthorized access to consumers' accounts and personal information and enabled users to make purchases on the site from consumers' accounts."

The flaw arose from Barnes & Noble.com's use of "cookie-less" shopping, a feature that avoids the use of "cookies" . Cookies are normally used by Web sites to identify users and sometimes prepare customized Web pages for them.

"In certain situations (such as a consumer forwarding or posting a web page link), the consumer information in the URL was inadvertently posted or forwarded to third parties," the AG's office said.

"Consumers are concerned about how their personal information is secured and protected by online merchants. Our effort here should help assure that the terms of Barnes and Noble's Internet privacy policy are met."