Website Security Flaw Costs ZD

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/business/0,1367,54817,00.html

By Brian McWilliams 
3:50 p.m. Aug. 28, 2002 PDT 

Ziff-Davis Media has agreed to revamp its website's security and pay
affected customers $500 each after lax security exposed the personal
data of thousands of subscribers last year.

The settlement, announced Wednesday by New York's attorney general,
could spur other online companies to do a better job securing their
sites, experts said.

"It used to be enough just to patch security problems, apologize and
get on with business. But this case shows that (regulators) are now
watching, and if you get burned, you may have a lawsuit on your
hands," said Greg Shipley, chief technology officer of Neohapsis, a
Chicago-based information security company that assisted the New York
authorities on the case.

The agreement between Ziff-Davis -- publisher of PC Magazine and other
tech titles, including a slew of gaming magazines -- and attorneys
general from New York, Vermont and California came after Web surfers
discovered an unprotected data file on Ziff-Davis' site in November.  
The file contained names, addresses e-mail addresses -- and, in some
instances, credit card numbers -- of 12,000 people who signed up for a
special promotion to receive Electronic Gaming Monthly magazine.

After the location of the data file was published in a Web discussion
forum, at least five consumers had fraudulent credit card charges made
on their accounts, according to the settlement agreement.

An investigation led by New York with the assistance of Neohapsis
revealed that Ziff-Davis failed to follow industry-standard security
practices, such as encrypting and password-protecting the data, and
keeping track of who accessed it.

According to the settlement agreement (PDF), the attorneys general
concluded that Ziff-Davis was guilty of violating their states'
business laws prohibiting deceptive business practices and false
advertising.

"Their privacy policy promised that they would take reasonable
precautions to protect customers' personal information. Our
investigation found that they didn't follow through on that promise,"  
said David Stampley, the New York assistant attorney general who
handled the case.

The agreement stipulates that Ziff-Davis must pay the state of New
York $100,000, which will be divided among the three states for
investigative costs, consumer education and other purposes.

Ziff-Davis will also send out a letter and check for $500 within the
next two weeks to approximately 50 customers whose credit card numbers
were exposed in the security breech, Stampley said.

The letter states that the payment is "in recognition of the
importance of maintaining the security and privacy of your data. We
have taken strong measures to ensure that all subscriber data files
remain secure now and in the future."

In a statement, New York-based Ziff-Davis said Wednesday that it had
not broken any laws, and the company termed the incident "a one-time
online security violation ... caused by a coding error."

Stampley said he was "surprised and disappointed" at Ziff-Davis'
characterization of the facts of the case.

"Acts such as failing to use SSL encryption and disabling Web server
logging indicate an ongoing failure to follow standard security
practices. We hope to send a message that such a failure to protect
consumers' data online is serious," he said.

Stuart McClure, president of security consultancy Foundstone, said the
threat of lawsuits is second only to system downtime as the biggest
motivation for companies to take security seriously.

"As soon as the lawyers start sinking their teeth into some of these
events, I think everybody's going to begin changing their tune. This
case could start the ball rolling," he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.