Tower Settles FTC Charges; Alyon Notation Altered

Rhett Pardon
WASHINGTON, D.C – The Federal Trade Commission said Wednesday it has settled with Tower Records over a security flaw in the music giant’s website that exposed customer data to other Internet surfers.

The FTC says that the website made claims such as “We use state-of-the-art technology to safeguard your personal information,” and “You and only you have access to this information.”

But the FTC says that surfers could easily access order history records and view certain personal information about other customers, such as names, billing and shipping address, email addresses, phone numbers, and past Tower purchases.

FTC spokesman Howard Beales said that it is the agency’s fourth case targeting companies that make false claims and misrepresent the security of consumer information.

“Companies must have reasonable procedures in place to make sure that changes do not create new vulnerabilities,” Beales said. “Just as consumers remodeling their homes would make sure that the doors still have locks, companies should make sure that sensitive data is still protected.”

The Tower consent agreement requires that the Sacramento, Calif.-based company implement a security program, as well as third-party audits of its website security every two years.

Separately, the FTC said that an October press release it issued on payment processor Alyon Technologies Inc. of New York was incorrect. The release indicated erroneously that U.S. District Court had prohibited Alyon from "billing, collecting, or attempting to collect payment" for services the company rendered via a deal with providers of online adult content.

The FTC said that the court did not prohibit billing but, instead, set forth the parameters under which Alyon may continue to conduct business.

The FTC and 13 state attorneys general charged last year that Alyon was illegally billing and collecting for videotext services accessed on the Internet.

Regulators claim that Alyon used a modem dialing program that disconnected consumers from their own Internet service providers and reconnected them to the Internet sites Alyon billed for without the consumers' authorization or approval.

Using the dialing program, the FTC said that Alyon captured the telephone number used by the modem and matched it against several databases of line subscriber information. The agency said the databases frequently contained errors.

The line subscribers identified as responsible for the captured telephone number later received bills charging them $4.99 a minute for each minute the defendants claim videotext services were purchased, regardless of whether the line subscribers authorized the purchase, the FTC said.