Geeks.com, a large online seller of computer hardware and software, has agreed to allow federal regulators to monitor its website security for 10 years to settle charges it violated federal laws requiring it to adequately safeguard sensitive customer data.

The agreement, which also applies to sister site computergeeks.com, settles a complaint filed by the Federal Trade Commission that accused the online retailers of misleading its customers about the safety of their personal information. Names, addresses, credit card numbers, and other data were routinely sent unencrypted to authorization services, making them ripe for identity thieves, the complaint alleged.

During a six-month period starting in January of 2007, the sites were breached repeatedly by hackers who used simple SQL injections to siphon credit card numbers, expiration dates, and other sensitive details on hundreds of customers. Website operators didn't learn of the attacks until the following December. During the time of the breach, Geeks.com proudly displayed a banner provided by security provider McAfee claiming the site was "Hacker Safe".

The sites have since closed the security holes and notified law enforcement authorities.

Genica Corp., the websites' parent company, has agreed to submit its website security to outside auditing by qualified security professionals every other year and to make the results available to FTC officials. The agreement will remain in place for the next decade. The company also agreed not to make misleading claims about its website security.

Even with federal charges settled, Genica is likely to have some explaining to do with the credit card industry. Payment card industry regulations require merchants to follow a maze of procedures designed to protect card data as it's stored on servers and zapped to authorization services. Penalties for violations can be steep.

The FTC's complaint and settlement (both of them PDFs) are here, and here respectively. ®

Related stories

• McAfee website visited by plague of security locusts (5 May 2009)
• UK childcare voucher site offline after security snafu (17 February 2009)
• Online advertisers team up on privacy principles (16 January 2009)
• Accused Scareware mongers held in contempt of court (24 December 2008)
• Judge buries bogus malware-protection gang (10 December 2008)
• Feds shutter one-stop stalker shop (18 November 2008)
• FTC sues internet 'loan sharks' for deceptive lending (14 November 2008)
• Feds hamstring world's largest spam gang (14 October 2008)
• FTC wants to hit the spyware guys where it hurts (13 June 2008)