RELATED TOOLS RELATED ITEMS RELATED ITEMS Management Archive

Before Onvia.com's spectacular debut on Wall Street last week (up 200% on the first day), it had to file the usual documents that outline the major risks for investors who buy stock. But the warnings might also resonate with customers who buy Onvia's small-business products, such as a matching service for buyers and sellers at small companies, as well as online tools and advice.

In its federal registration statement, the Seattle-based company says serious privacy violations occurred at its Canadian operations last July. Back then, the company was called MegaDepot.com. "An outside party was able to gain access to the private account information, including credit card numbers, of some of our customers," says the Onvia filing. "This security breach occurred when we inadvertently provided a few of our customers with the URL link to our internal database, and also inadvertently left the password protection for our internal database turned off."

According to a July 20 article in the Toronto Star, which first broke the story, records of approximately 20,000 customers were open for several days to anyone surfing the Web. What's more, the press found out before the company did. (Onvia runs a co-branded site for Business Week Online, but the arrangement did not exist at the time the security breach occurred.)

Jason Catlett, president of Junkbusters Corp., a Web privacy advocacy and consulting firm based in Green Brook, N.J., says such security breaches are common. "Anyone who works in security knows that for every one reported incident, there are hundreds of unreported ones," he says. That's why it's important for companies whose security has been compromised to undergo a systems audit and have a full review of privacy policies. Catlett points out that's what Microsoft did after hackers broke into Hotmail, its free Web-based e-mail service.

Onvia says it's on the case. Spokeswoman Gretchen Sorensen says the company brought in Deloitte & Touche to audit the company's security procedures following the incident and has added state-of-the-art security and encryption technology "to ensure that our customer information is secure," she says.

That all sounds encouraging, but the company's Feb. 29 filing told Onvia's investors, "We cannot assure you that the measures we implement will not be circumvented." It also stated: "A security breach could occur again in the future." That's probably closer to the mark these days for any Web site.