Barnes & Noble.com Fined for Customer Data Leak

The online bookseller settles with the New York AG's office and plans to establish an IT security program to protect sensitive customer information.


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

New York-based online bookseller Barnes & Noble.com has been slapped with a $60,000 fine after a flaw exposed sensitive customer data on its Web site.

As part of a settlement with New York State attorney General Eliot Spitzer, Barnes & Noble.com will pay the fine and establish an information security program to protect personal information collected during e-commerce operations.

The book retailer has also agreed to establish management oversight and employee training programs and hire an external auditor to monitor compliance with the security program.

Exposure of sensitive customer data is a recurring problem faced by e-commerce firms. Malicious attackers are a constant threat and design flaws to e-commerce software are always a risk.

In fact, it was a design flaw in Barnes & Noble.com's Web site that led to the exposure of sensitive customer information, including names, billing addresses and account information. In this case, Spitzer's office said credit card numbers were not divulged.

During an investigation, the New York attorney general said the design vulnerability "permitted unauthorized access to consumers' accounts and personal information and enabled users to make purchases on the site from consumers' accounts."

The flaw arose from Barnes & Noble.com's use of "cookie-less" shopping, a feature that avoids the use of "cookies" . Cookies are normally used by Web sites to identify users and sometimes prepare customized Web pages for them.

"In certain situations (such as a consumer forwarding or posting a web page link), the consumer information in the URL was inadvertently posted or forwarded to third parties," the AG's office said.

"Consumers are concerned about how their personal information is secured and protected by online merchants. Our effort here should help assure that the terms of Barnes and Noble's Internet privacy policy are met."

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.