http://www.wired.com/news/business/0,1367,54817,00.html By Brian McWilliams 3:50 p.m. Aug. 28, 2002 PDT Ziff-Davis Media has agreed to revamp its website's security and pay affected customers $500 each after lax security exposed the personal data of thousands of subscribers last year. The settlement, announced Wednesday by New York's attorney general, could spur other online companies to do a better job securing their sites, experts said. "It used to be enough just to patch security problems, apologize and get on with business. But this case shows that (regulators) are now watching, and if you get burned, you may have a lawsuit on your hands," said Greg Shipley, chief technology officer of Neohapsis, a Chicago-based information security company that assisted the New York authorities on the case. The agreement between Ziff-Davis -- publisher of PC Magazine and other tech titles, including a slew of gaming magazines -- and attorneys general from New York, Vermont and California came after Web surfers discovered an unprotected data file on Ziff-Davis' site in November. The file contained names, addresses e-mail addresses -- and, in some instances, credit card numbers -- of 12,000 people who signed up for a special promotion to receive Electronic Gaming Monthly magazine. After the location of the data file was published in a Web discussion forum, at least five consumers had fraudulent credit card charges made on their accounts, according to the settlement agreement. An investigation led by New York with the assistance of Neohapsis revealed that Ziff-Davis failed to follow industry-standard security practices, such as encrypting and password-protecting the data, and keeping track of who accessed it. According to the settlement agreement (PDF), the attorneys general concluded that Ziff-Davis was guilty of violating their states' business laws prohibiting deceptive business practices and false advertising. "Their privacy policy promised that they would take reasonable precautions to protect customers' personal information. Our investigation found that they didn't follow through on that promise," said David Stampley, the New York assistant attorney general who handled the case. The agreement stipulates that Ziff-Davis must pay the state of New York $100,000, which will be divided among the three states for investigative costs, consumer education and other purposes. Ziff-Davis will also send out a letter and check for $500 within the next two weeks to approximately 50 customers whose credit card numbers were exposed in the security breech, Stampley said. The letter states that the payment is "in recognition of the importance of maintaining the security and privacy of your data. We have taken strong measures to ensure that all subscriber data files remain secure now and in the future." In a statement, New York-based Ziff-Davis said Wednesday that it had not broken any laws, and the company termed the incident "a one-time online security violation ... caused by a coding error." Stampley said he was "surprised and disappointed" at Ziff-Davis' characterization of the facts of the case. "Acts such as failing to use SSL encryption and disabling Web server logging indicate an ongoing failure to follow standard security practices. We hope to send a message that such a failure to protect consumers' data online is serious," he said. Stuart McClure, president of security consultancy Foundstone, said the threat of lawsuits is second only to system downtime as the biggest motivation for companies to take security seriously. "As soon as the lawyers start sinking their teeth into some of these events, I think everybody's going to begin changing their tune. This case could start the ball rolling," he said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 03:15:53 PDT