New York-based online bookseller Barnes & Noble.com
has been slapped with a $60,000 fine after a flaw exposed sensitive customer data
on its Web site.
As part of a settlement with New York State attorney General Eliot Spitzer, Barnes & Noble.com will pay the fine and establish an information security program to protect personal information collected during e-commerce operations.
The book retailer has also agreed to establish management oversight and employee training programs and hire an external auditor to monitor compliance with the security program.
Exposure of sensitive customer data is a recurring problem faced by e-commerce firms. Malicious attackers are a constant threat and design flaws to e-commerce software are always a risk.
In fact, it was a design flaw in Barnes & Noble.com's Web site that led to the exposure of sensitive customer information, including names, billing addresses and account information. In this case, Spitzer's office said credit card numbers were not divulged.
During an investigation, the New York attorney general said the design vulnerability "permitted unauthorized access to consumers' accounts and personal information and enabled users to make purchases on the site from consumers' accounts."
The flaw arose from Barnes & Noble.com's use of "cookie-less" shopping, a
feature that avoids the use of "cookies"
"In certain situations (such as a consumer forwarding or posting a web page link), the consumer information in the URL was inadvertently posted or forwarded to third parties," the AG's office said.