|
Ziff Davis Media must pay $125,000 for failing to restrict access to customer personal information
Incident Date: August 2002 Incident Location: NY USA Ziff Davis Media exposed the personal information of thousands in 2001 due to inadequate Web site security. The company must now pay some customers $500 for putting their credit card information at risk. In addition, the company will pay a fine of $100,000, which will be divided among the New York, California, and Vermont -- the three states that filed a lawsuit against Ziff Davis for the incident. This money will be used to repay investigative costs, educate consumers, and finance other programs. Ziff Davis must also revamp Web site security to improve protection of customer data. These concessions come as part of a settlement reached with the states in August, 2002. Ziff Davis is the publisher of PC Magazine, Electronic Gaming Monthly, and other technology related publications. Visitors to the Ziff Davis Web site discovered that they could access a file containing names, addresses, and email addresses -- along with credit card numbers in some cases -- of 12,000 people who signed up to receive Electronic Gaming Monthly magazine during a promotion. Approximately 50 customer credit card numbers were exposed by the lax security. Ziff Davis is required to compensate these fifty individuals with the $500, regardless of whether they experienced fraudulent credit card charges. At least five customers had fraudulent credit card charged made on their accounts following the disclosure of a Web link (http://www.zdmcirc.com/formcollect/ebxbegamfile.dat) to the Ziff Davis file in a Web discussion forum. Ziff Davis removed the data from their Web site in November, 2001 after being notified of the public exposure. An investigation by the New York attorney general found that Ziff Davis failed to follow industry-standard security practices with regard to the file, such as using encryption, requiring password protection, and keeping logs of file access. The attorneys general concluded that Ziff Davis was guilty of violating their states’ laws which prohibit deceptive business practices and false advertising. The company’s privacy policy promised that they would take reasonable precautions to protect the personal information of customers. "Our investigation found that they didn’t follow through on that promise," said New York assistant attorney general David Stampley, who handled the case. Story Sources Title: Website Security Flaw Costs ZD Author: Brian McWilliams Date: 8/28/2002 Publication: Wired Magazine Publication Location: CA USA Publication URL: http://www.wired.com/news/business/0,1367,54817,00.html Title: A Tell-All ZD Would Rather Ignore Author: Declan McCullagh Date: 11/20/2001 Publication: Wired Magazine Publication Location: CA USA Publication URL: http://www.wired.com/news/ebiz/0,1272,48525,00.html Title: Major Tech Publisher Reaches Agreement With Attorney General On E-Commerce Security Standards Author: Date: 8/28/2002 Publication: Press Release From the Office of New York State Attorney General Eliot Spitzer Publication Location: NY USA Do you have additional information to contribute regarding this story? If so, please email siteupdates@passwordresearch.com with the details and source.
<-- Back to Authentication Story Index |