The FTC said the company stored the information, including credit card security codes, indefinitely in plain readable text on its network and failed check its own Web site and network for vulnerability to well-known and reasonably foreseeable attacks, like SQL injection. The FTC said "Life is good" failed to use free or low-cost security to monitor and control network connections and prevent such attacks. Finally, the FTC claims that the company did not take reasonable measures to detect unauthorized access to the information.
"A hacker was able to use SQL injection attacks on Life is good's Web site to access the credit card numbers, expiration dates, and security codes of thousands of consumers," the FTC said in a statement announcing the settlement.
Under the terms of the settlement, Life is good will not make deceptive claims about its privacy and security policies and will create and maintain a comprehensive security program to protect consumer privacy. The security program also will include administrative, technical, and physical safeguards.
The company will dedicate one or more employees to coordinate information security, identify internal and external risks to consumer information, assess its security practices, and strengthen security as needed. The company also will choose and supervise service providers that handle its customer information. "Life is good" will use a third-party security auditor to assess its security biennially for the next 20 years and certify that the company meets or exceeds the terms of the FTC settlement. Finally, the company will retain records to allow the FTC to monitor compliance.
The FTC will allow 30 days of public comment on the order before voting on whether to make the settlement final.