Petco, a national seller of pet food, supplies, and services, has agreed to settle Federal Trade Commission charges that security flaws in its Web site violated privacy promises it made to its customers and violated federal law.

The agency alleges that, contrary to Petcos claims, it did not take reasonable or appropriate measures to prevent commonly known attacks by hackers. The flaws allowed a hacker to access consumer records, including credit card numbers. The settlement requires that Petco implement a comprehensive information security program for its Web site.

This is the fifth FTC case challenging deceptive claims by businesses about the security they provided for consumers personal information.

Consumers have the right to expect companies to keep their promises about the security of the confidential consumer information they collect, said Lydia Parnes, Acting Director of the FTCs Bureau of Consumer Protection. The FTC will hold companies to their word.

Petco has sold pet food and supplies to consumers through its online store at since February 2001. According to the FTC, Petco made security claims on the Web site, such as:

At, protecting your information is our number one priority, and your personal information is strictly shielded from unauthorized access.

Entering your credit card number via our secure server is completely safe. The server encrypts all of your information; no one except you can access it.

But according to the complaint, the Web site was vulnerable to commonly known Web-based application attacks, such as Structured Query Language (SQL) injection attacks. The FTC alleges that Petco created these vulnerabilities in its Web site by failing to implement reasonable and appropriate security measures to secure and protect sensitive consumer information, including simple, readily available defenses that would have blocked such attacks.

The agency also charged that the sensitive information Petco obtained through its Web site was not maintained in an encrypted format, as it claimed. As a result, a hacker was able to penetrate the Petco Web site and access credit card numbers stored in unencrypted clear text. The FTC charged that Petcos claims were deceptive and violated the FTC Act.

The settlement prohibits Petco from misrepresenting the extent to which it maintains and protects sensitive consumer information. It also requires Petco to establish and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.

It also requires that Petco arrange biennial audits of its security program by an independent third party certifying that Petcos security program is sufficiently effective to provide reasonable assurance that the security, confidentiality, and integrity of consumers personal information has been protected. The settlement also contains record keeping provisions to allow the FTC to monitor compliance.