A Tell-All ZD Would Rather Ignore

November 20, 2001

By Declan McCullagh


If you subscribe to any of Ziff Davis' computer magazines, you may want to double-check your credit card bill next month.

Ziff Davis Media, which publishes such popular tech titles such as Yahoo Internet Life and PC Magazine, accidentally posted the personal information of about 12,500 magazine subscribers on its website.

On Monday, Ziff Davis removed the data, which included hundreds of credit card numbers, and said its engineers had taken steps to prevent additional security leaks.

"We discovered that there was a problem on the site and we pulled the information down," said Ziff Davis spokesman Randy Zane. "We're contacting all the subscribers -- the people who were affected."

Because Ziff Davis' 1.3-MB text file included names, mailing addresses, e-mail addresses and in some cases credit card numbers, a thief who downloaded it would have enough information to make fraudulent mail-order purchases. An executive at one New York magazine firm called the error "a bush-league mistake for a major online publisher."

Zane said Ziff Davis relies on EDS and Omeda database technology to protect subscriber information. He refused to provide details, except to say that "we were doing a promotion not using the EDS and Omeda products."

In interviews, two people who appeared on the Ziff Davis list said they had typed in their information when responding to a promotion for Electronic Gaming Monthly.

"I went to the site and signed up for the free year, but did not sign up for the second year, which was not free," said Jerry Leon of Spokane, Washington, whose Visa number and expiration date appeared in the file. "I get the feeling that this was one huge scam, but that card is now dead, and any charges made on it will be refused."

"If it was just a stupid accident, they are going to regret failing a community that worries about this stuff ever happening, but if something less innocent has occurred, they may as well fold the tents," said Leon, who signed up through AnandTech's hot deals forum.

Rob Robinson, whose address information -- but not credit card number -- was on display, says he subscribed to Electronic Gaming Monthly through a promotion on ebgames.com.

"I'm annoyed that my home info as well as a valid e-mail is available to anyone. That's quite a valuable list of gamers' personal data up for grabs. I feel really bad for the poor folks who are going to have to cancel their credit cards," Robinson said.

It's not clear whether Electronic Gaming Monthly subscribers were the only ones affected by the security snafu, and Ziff Davis refused to provide details. The file appeared at the address http://www.zdmcirc.com/formcollect/ebxbegamfile.dat until around noon EST on Monday.

That address began circulating around Home Theater Forum discussion groups over the weekend, and Ziff Davis at first erased the contents of the database at around 9 a.m. EST Monday. But its system continued to add new subscribers to the public file until Ziff Davis administrators blocked access to that address around midday Monday.

"Every week we learn of new cases where companies used insecure technology or unsecure servers to handle business that utilizes financial information or customer information," says Jericho, who edits the security news site attrition.org. "In the rush to be e-appealing for e-business they e-screw up time and time again."

Jericho has compiled a list of miscreant firms whose shoddy security practices have exposed customer information. The hall of shame includes notables such as Amazon, Gateway, Hotmail and Verizon.

Ziff Davis Media publishes 11 print magazines. It is a separate company from ZDNet, which is owned by CNET Networks.

main page ATTRITION feedback