The lingerie stores' Columbus-based parent company, Limited Brands, said it fixed the problem within days of being notified by a customer last November. New York Attorney General Eliot Spitzer announced the fine and settlement with Limited on Tuesday.
A glitch in a feature allowing customers to check their order status allowed them to randomly call up other orders, seeing details such as sizes, prices, customer names and addresses. The faulty site didn't reveal credit card numbers or allow visitors to search orders by name.
The company is notifying about 560 customers who were affected nationwide by mail, spokesman Anthony Hebron said. New York was the only state to take legal action, he said Wednesday.
The settlement requires Victoria's Secret to provide refunds or credits to affected customers in New York. The company has not yet determined the number of customers in the state or the amount of potential refunds, Hebron said.
It also requires the company to establish an information security program and hire an external auditor to review it yearly.