Women’s apparel cataloger/retailer Victoria’s Secret agreed on Oct. 20 to pay $50,000 in costs and penalties for leaving the names, addresses, and order information of more than 560 customers exposed on its Website to those who could figure out how to call up customer records.
Victoria’s Secret inadvertently exposed the information between August and November 2002. In November, a customer in Niantic, CT, found the gaffe and reported it to Victoria’s Secret, which fixed it within a few days. Victoria’s Secret would only make a formal statement on the matter: “We take issues of maintaining our customers’ privacy very seriously. When we became aware of the matter we addressed it and worked cooperatively with the appropriate authorities.”
In addition to payments to the 560 customers, the settlement calls for Victoria’s Secret to establish and maintain an information security program to protect personal information, establish management oversight and employee training programs, and hire an external auditor to annually monitor compliance with the security program.