RealTime IT News

DSW Decides FTC Security Shoe Fits

The other shoe fell today for DSW, the national footwear discounter that admitted in March that hackers accessed more than three months' worth of customer data.

In a settlement with the Federal Trade Commission (FTC), DSW agreed to implement a comprehensive security plan and to obtain independent audits by a third-party security firm every other year for 20 years.

The security program must include administrative, technical and physical safeguards.

Until at least March of this year, the FTC claims, DSW engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive customer information.

The FTC said DSW's failure to secure customers' sensitive data constituted an unfair trade practice, because it caused substantial injury that was not unreasonably avoidable by consumers. The FTC further charged that offsetting benefits to consumers, such as credit, debit and check approvals, did not outweigh the consumer injuries.

According to the FTC, the DSW security lapse compromised 1.4 million customer credit and debit cards and 96,000 checking accounts. The FTC said that there have been fraudulent charges on some of the compromised accounts.

The FTC said DSW's exposure for losses related to the breach ranges from $6.5 million to $9.5 million.

As outlined in the FTC complaint, DSW uses computer networks to obtain authorization for credit card, debit card and check purchases at its stores and to track inventory. Columbus, Ohio-based DSW operates approximately 190 stores in 32 states. In 2004, the company generated $961 million in net sales and sold approximately 23.7 million pairs of shoes.

For credit and debit card purchases, DSW collects information including the name, card number and expiration date from the magnetic stripe on the back of the cards. This magnetic stripe information is a particularly sensitive security matter, because it contains a code that can be used to create counterfeit cards that appear genuine in the authorization process.

For check purchases, DSW collects information such as the routing number, account number, check number and the consumer's driver's license number and state. In each case, the information was wirelessly transmitted to a computer network located in the store.

From there, the data was sent to the appropriate bank or check processor.

The poor security procedures the FTC claims DSW practiced included creating unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information, and storing the data in unencrypted files that could be easily accessed using a commonly known user ID and password.

Among other lax practices cited by the FTC was failing to use readily available security measures to limit access to its computer networks through wireless access points on the networks.