The company that operates the <A HREF="http://www.towerrecords.com" TARGET="new">Web site</A> for retailer Tower Records has settled complaints by U.S. regulators that it allowed hackers in 2002 to st

The company that operates the Web site for retailer Tower Records has settled complaints by U.S. regulators that it allowed hackers in 2002 to steal personal information about thousands of its online customers.

Under the agreement announced yesterday (April 21), MTS Inc. of West Sacramento, Calif., must maintain a "reasonably designed" program to assure the security of customers to the Web site and hire outside consultants every two years during the next decade to test its security.

The Federal Trade Commission said failure to abide by those terms could result in fines up to $11,000.

The FTC said Tower Records, which emerged from bankruptcy last month, redesigned part of its Web site in November and December 2002 but failed to update one feature that customers used to check the status of their online purchase.

Over eight days, hackers exploited the problem to view the names, addresses and purchase details for about 5,225 customers and sometimes wrote demeaning comments in Internet chat rooms about people's choices in music, the FTC said.

Tower said in a statement that hackers did not steal any of its customers' credit-card or Social Security numbers, that it corrected the problem and that it has not detected any subsequent break-ins.

"We take the privacy and security of personal information collected from our customers very seriously," said Bill Baumann, Tower's chief information officer.

The FTC, which traditionally prosecutes businesses for fraudulent and deceptive trade practices, sued Tower Records over its written assurances to customers that it protected their personal information using "state-of-the-art technology." Regulators said the vulnerability in the company's Web site was "commonly known and reasonably foreseeable."

The case against Tower Records was the fourth of its kind by the FTC.

"Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities," said Howard Beales, director of the FTC's Bureau of Consumer Protection. "Just as consumers remodeling their homes would make sure that the doors still have locks, companies should make sure that sensitive data is still protected."


AP LogoCopyright 2004 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.