WHID 2006-48: SQL Injection Used to Steal Information from "Life is Good"
Update (Jan 26th 2009) - an SC magazine article sheds more light on the incident revealing that there was actually a breach, apparently using SQL injection, which resulted in leakage of 10,000 credit card numbers
An SQL injection vulnerability that could result in a hacker being able to access credit card numbers, expiration dates, and security codes of thousands of consumers was discovered in the web site of retailer "life is good".
The US Federal Trade Commission charged "life is good" with lack of reasonable and appropriate security for the sensitive consumer information stored on its servers. The company's settlement with the company requires the company to accept a very comprehensive and costly security procedure going forward.
Additional information:
- Online Retailer Settles Charges That It Left Consumer Data Open To Hackers [Information Week, Jan 18 2008]
- FTC Wags Finger At Site For Weak Consumer Data Security [Storefront Backtack, Jan 18 2008]
- n the Matter of Life is good, Inc., a corporation, and Life is good Retail, Inc., a corporation. FTC Matter No. 072-3046 [Federal Trade Commission, Jan 17 2008]
Attack Method:
Incident Outcome:
