Stephen Cobb

A computer programmer visited Guess.com last year to look for jeans. Before entering his order, he keyed into the site’s address bar a string of characters, and up popped about 200,000 of Guess.com’s customer names and credit card numbers. His selection of characters wasn’t random. Rather, the code he keyed in is well-known among programmers, and plugging it in is called an SQL (Structured Query Language) injection attack. In June, Guess.com settled for an undisclosed sum with the Federal Trade Commission (FTC) on charges that it misled consumers by stating in its privacy policy that it protected consumer data when, in fact,