In a blistering ruling delivered last Friday, the Victoria Supreme Court upheld AuDA’s termination of Bottle Domains’ registrar agreement, withdrawing its license to sell domain names and trade as a domain name registrar, for its lack of sufficient warning to customers whose credit card information was hacked from their system.

Two incidents were cited, the first a security breach in 2007 which Bottle Domains apparently did not disclose to customers or to AuDA, and the other in January 2009, when at least part of their database of customers and their credit card details was successfully stolen and sold online. The database was stored openly, without security encryption, by Bottle Domains’ parent company, Australian Style.

Bottle Domains’ owner, Nicholas Bolton, allegedly covered up the first incident and downplayed the seriousness of the second, displaying what Justice Hargrave of the court termed an “extraordinary indifference to the effect of credit card fraud on its victims” and a lack of cooperation with regulatory officials, for which its registrar agreement was terminated.

Final orders in the case are scheduled for Wednesday.

Bolton did notify the AuDA regarding the second incident, and an email warning customers of the security breach was drafted and approved by regulators. However, the email actually sent to customers was a modified version, apparently in an attempt to downplay the risk that credit card fraud and identity theft could result from the breach, as it “omitted the paragraph recommending that registrants remain vigilant and monitor their domains, accounts and credit card transactions.”

Bolton claimed the “defective” email was sent due to an error in cutting and pasting. The court scoffed at the excuse.

Justice Hargrave stated that Bolton’s behaviour was caused by “his desire to retain the business of registrants” rather than warning them of the risks involved.

Bolton admitted he wanted to withhold warning customers until the extent of the security breach was ascertained by the Australian Federal Police. Such a warning was not “time-sensitive,” he believed, because any problems caused by the breach could be dealt with after the fact, as the ultimate responsibility for credit card fraud and identity theft lay with vendors, banks, and insurance companies, rather than the customers involved—a claim the court seemed to find irresponsible at best.

Details of the possibly stolen credit cards were not immediately released by Bolton to the Australian Federal Police upon request, further delaying any appropriate response that might have been attempted by customers and banks.

Source: IT News