[ISN] Website Security Flaw Costs ZD

From: InfoSec News (isnat_private)
Date: Thu Aug 29 2002 - 00:17:27 PDT

  • Next message: InfoSec News: "[ISN] Downloads may pose security risk"

    By Brian McWilliams 
    3:50 p.m. Aug. 28, 2002 PDT 
    Ziff-Davis Media has agreed to revamp its website's security and pay
    affected customers $500 each after lax security exposed the personal
    data of thousands of subscribers last year.
    The settlement, announced Wednesday by New York's attorney general,
    could spur other online companies to do a better job securing their
    sites, experts said.
    "It used to be enough just to patch security problems, apologize and
    get on with business. But this case shows that (regulators) are now
    watching, and if you get burned, you may have a lawsuit on your
    hands," said Greg Shipley, chief technology officer of Neohapsis, a
    Chicago-based information security company that assisted the New York
    authorities on the case.
    The agreement between Ziff-Davis -- publisher of PC Magazine and other
    tech titles, including a slew of gaming magazines -- and attorneys
    general from New York, Vermont and California came after Web surfers
    discovered an unprotected data file on Ziff-Davis' site in November.  
    The file contained names, addresses e-mail addresses -- and, in some
    instances, credit card numbers -- of 12,000 people who signed up for a
    special promotion to receive Electronic Gaming Monthly magazine.
    After the location of the data file was published in a Web discussion
    forum, at least five consumers had fraudulent credit card charges made
    on their accounts, according to the settlement agreement.
    An investigation led by New York with the assistance of Neohapsis
    revealed that Ziff-Davis failed to follow industry-standard security
    practices, such as encrypting and password-protecting the data, and
    keeping track of who accessed it.
    According to the settlement agreement (PDF), the attorneys general
    concluded that Ziff-Davis was guilty of violating their states'
    business laws prohibiting deceptive business practices and false
    "Their privacy policy promised that they would take reasonable
    precautions to protect customers' personal information. Our
    investigation found that they didn't follow through on that promise,"  
    said David Stampley, the New York assistant attorney general who
    handled the case.
    The agreement stipulates that Ziff-Davis must pay the state of New
    York $100,000, which will be divided among the three states for
    investigative costs, consumer education and other purposes.
    Ziff-Davis will also send out a letter and check for $500 within the
    next two weeks to approximately 50 customers whose credit card numbers
    were exposed in the security breech, Stampley said.
    The letter states that the payment is "in recognition of the
    importance of maintaining the security and privacy of your data. We
    have taken strong measures to ensure that all subscriber data files
    remain secure now and in the future."
    In a statement, New York-based Ziff-Davis said Wednesday that it had
    not broken any laws, and the company termed the incident "a one-time
    online security violation ... caused by a coding error."
    Stampley said he was "surprised and disappointed" at Ziff-Davis'
    characterization of the facts of the case.
    "Acts such as failing to use SSL encryption and disabling Web server
    logging indicate an ongoing failure to follow standard security
    practices. We hope to send a message that such a failure to protect
    consumers' data online is serious," he said.
    Stuart McClure, president of security consultancy Foundstone, said the
    threat of lawsuits is second only to system downtime as the biggest
    motivation for companies to take security seriously.
    "As soon as the lawyers start sinking their teeth into some of these
    events, I think everybody's going to begin changing their tune. This
    case could start the ball rolling," he said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 03:15:53 PDT