Ziff Davis Media must pay $125,000 for failing to restrict access to customer personal information

Incident Date: August 2002
Incident Location: NY USA

Ziff Davis Media exposed the personal information of thousands in 2001 due to inadequate Web site security. The company must now pay some customers $500 for putting their credit card information at risk. In addition, the company will pay a fine of $100,000, which will be divided among the New York, California, and Vermont -- the three states that filed a lawsuit against Ziff Davis for the incident. This money will be used to repay investigative costs, educate consumers, and finance other programs. Ziff Davis must also revamp Web site security to improve protection of customer data. These concessions come as part of a settlement reached with the states in August, 2002.

Ziff Davis is the publisher of PC Magazine, Electronic Gaming Monthly, and other technology related publications. Visitors to the Ziff Davis Web site discovered that they could access a file containing names, addresses, and email addresses -- along with credit card numbers in some cases -- of 12,000 people who signed up to receive Electronic Gaming Monthly magazine during a promotion. Approximately 50 customer credit card numbers were exposed by the lax security. Ziff Davis is required to compensate these fifty individuals with the $500, regardless of whether they experienced fraudulent credit card charges.

At least five customers had fraudulent credit card charged made on their accounts following the disclosure of a Web link (http://www.zdmcirc.com/formcollect/ebxbegamfile.dat) to the Ziff Davis file in a Web discussion forum. Ziff Davis removed the data from their Web site in November, 2001 after being notified of the public exposure. An investigation by the New York attorney general found that Ziff Davis failed to follow industry-standard security practices with regard to the file, such as using encryption, requiring password protection, and keeping logs of file access.

The attorneys general concluded that Ziff Davis was guilty of violating their statesí laws which prohibit deceptive business practices and false advertising. The companyís privacy policy promised that they would take reasonable precautions to protect the personal information of customers. "Our investigation found that they didnít follow through on that promise," said New York assistant attorney general David Stampley, who handled the case.

Story Sources

Title: Website Security Flaw Costs ZD
Author: Brian McWilliams
Date: 8/28/2002
Publication: Wired Magazine
Publication Location: CA USA
Publication URL: http://www.wired.com/news/business/0,1367,54817,00.html

Title: A Tell-All ZD Would Rather Ignore
Author: Declan McCullagh
Date: 11/20/2001
Publication: Wired Magazine
Publication Location: CA USA
Publication URL: http://www.wired.com/news/ebiz/0,1272,48525,00.html

Title: Major Tech Publisher Reaches Agreement With Attorney General On E-Commerce Security Standards
Date: 8/28/2002
Publication: Press Release
From the Office of New York State Attorney General Eliot Spitzer
Publication Location: NY USA

Do you have additional information to contribute regarding this story? If so, please email siteupdates@passwordresearch.com with the details and source.

<-- Back to Authentication Story Index

[Home] [About Us] [News] [Research]

Copyright © 2016 PasswordResearch.com