PetCo, FCC Settle Over Online Security Flaws

PetCo Animal Supplies Inc. falsely assured its online customers that their credit card numbers were secure when they were actually vulnerable to common computer hacking attacks, the Federal Trade Commission said Wednesday.

The San Diego-based company, the nation’s second- largest pet supply chain, with more than 670 stores, told users of its Petco.com website that their data were encrypted and secure. But, in fact, hundreds of thousands of credit card numbers were not encrypted and were read by an outside security researcher.

In a settlement with the FTC announced Wednesday, PetCo promised to upgrade its online security and submit regular reports on its progress. The company did not admit making misstatements and will not pay a fine.

The case is the fifth brought by the FTC involving overblown promises of website security; all made use of federal laws against false business claims. The FTC previously reached settlements with Microsoft Corp., Guess Inc., Eli Lilly & Co. and Tower Records owner MTS Inc.

Both the Guess case and the PetCo investigation were triggered by private security researcher Jeremiah Jacks, who made the discoveries.

A California law passed this year requires companies doing business in the state to notify customers when some personal information has been compromised. Under that law, Wells Fargo & Co. has reported a series of breaches, including the theft of computers containing account data.

The PetCo probe began in 2003, before that law took effect, so customers were not informed. Company spokesman Shawn Underwood said customer names and addresses were not visible with the credit card numbers, making the potential for fraud less likely.

Neither the company nor the FTC reported any credit card fraud as a result of the security hole, which was patched after Jacks found it.

PetCo shares rose 16 cents to $37.46 on Nasdaq.