New York-based online bookseller Barnes & Noble.com
has been slapped with a $60,000 fine after a flaw exposed sensitive customer data
on its Web site.
As part of a settlement with New York State attorney General Eliot
Spitzer, Barnes & Noble.com will pay the fine and establish an
information security program to protect personal information collected
during e-commerce operations.
The book retailer has also agreed to establish management oversight and
employee training programs and hire an external auditor to monitor
compliance with the security program.
Exposure of sensitive customer data is a recurring problem faced by
e-commerce firms. Malicious attackers are a constant threat and design flaws
to e-commerce software are always a risk.
In fact, it was a design flaw in Barnes & Noble.com’s Web site that led
to the exposure of sensitive customer information, including names, billing
addresses and account information. In this case, Spitzer’s office said
credit card numbers were not divulged.
During an investigation, the New York attorney general said the design
vulnerability “permitted unauthorized access to consumers’ accounts and
personal information and enabled users to make purchases on the site from
The flaw arose from Barnes & Noble.com’s use of “cookie-less” shopping, a
feature that avoids the use of “cookies”
normally used by Web sites to identify users and sometimes prepare customized
Web pages for them.
“In certain situations (such as a consumer forwarding or posting a web
page link), the consumer information in the URL was inadvertently posted or
forwarded to third parties,” the AG’s office said.
“Consumers are concerned about how their personal information is secured
and protected by online merchants. Our effort here should help assure that