According to the FTC, Petco promised customers that it kept their data private and secure on its web site, where it sells pet food and supplies. However, the site was vulnerable to a common web application attacks, such as SQL injection.
A hacker exploited flaws in the site to access credit-card numbers stored in unencrypted clear text, the FTC said. The agency charged that Petco's security claims were deceptive and violated the FTC Act.
The settlement requires that Petco implement a comprehensive infosec program to protect customers' personal data. It also requires that the company undergo biennial audits of its security program by an independent third party.