The New York City-based publishing company also must pay $500 to each U.S. customer who provided credit card information while the data was exposed, totaling about $25,000, according to Spitzer's office.
"There were some problems with unauthorized charges and people who had to cancel credit cards," said Julie Brill, an assistant attorney general in Vermont. "We felt consumers needed to be compensated in some manner. We're hoping nobody lost any money at all, but they had to spend time to deal with the problem."
California is the third state involved in the settlement.
The New York-led investigation stemmed from a magazine promotion Ziff Davis ran last November on its Electronic Gaming Monthly Web site. Insufficient online security allowed anyone surfing the Internet to access about 12,000 subscription orders for the magazine, one of nine the company publishes.
Only 50 of those subscribers paid by credit card. Five people reported that someone used that data to fraudulently charge items, such as computer software, to their accounts, said Spitzer spokeswoman Juanita Scarlett.
"The company's privacy policy promised reasonable security, but it was not effective in this case," Spitzer said. "With identity theft on the rise, consumers expect online businesses to recognize the sensibility of personal contact and credit card information and to take reasonable measures to protect that information."
The information remained easily available for about a month, until "good Samaritans" who viewed the material alerted subscribers via e-mail, Scarlett said.
Customers then contacted both Spitzer's office and Ziff Davis, which secured the data file and notified others who paid by credit card. Spitzer commended the company for its "prompt actions and cooperation."
A coding error caused the security violation, company spokeswoman Jasmine Alexander said.
In the agreement, the company promised to take specific measures to prevent another security breach. The money to the states covers the cost of the investigation, Scarlett said.
"We are confident in our security measures and fully committed to protecting our customers rights and privacy," Alexander said in a release. "We continue to take aggressive steps to ensure that all customer data on Ziff Davis Media's online network ... is not accessible to unauthorized parties."
Copyright 2002. Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.