Zappos Sued Over Data Breach

Class-Action Suit Argues Data Not Safeguarded
Zappos Sued Over Data Breach and its parent company,, face a class action lawsuit stemming from a recent data breach that affected more than 24 million customers (see: Zappos Breach Affects 24 Million).

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

In the lawsuit, Stevens v. Inc., filed Monday in the U.S. District Court for the Western District of Kentucky, attorneys for Theresa D. Stevens claim that the defendants were entrusted with "safeguarding plaintiff's and class members' PCAI [personal customer account information]" and are in violation of the Fair Credit Reporting Act. The suit alleges the defendants failed to adopt and maintain adequate procedures to protect information and limit its dissemination only for the permissible purposes set forth in the Act.

The defendants' actions also "constitute common law invasion of privacy by the public disclosure of private facts and common law negligence," the suit argues.

The suit states, "Plaintiff and class members are entitled to compensation for their actual damages including ... expenses for credit monitoring and identity theft insurance, out-of-pocket expenses, and other economic and non-economic harm, or statutory damages of not less than $100, and not more than $1,000, each, as well as attorneys fees, litigation expenses and costs, pursuant to [the Act]."

Zappos officials declined to comment on the lawsuit and said any updates would be provided on its blog.

Zappos Breach Details

In a blog entry posted Jan. 15, Tony Hsieh, CEO of Zappos, explained that a criminal gained access to certain parts of the network through one of the company's servers in Kentucky.

The data breach resulted in unauthorized access to customer account information including: names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or the cryptographically scrambled passwords (but not the actual passwords).

The database that stores customers' critical credit card and other payment data was not affected or accessed, Hsieh stressed.

But the lawsuit contends that as a result of the breach, hackers now have information on Zappos customers that can be used to lure them into providing more personal information. "As such, consumers ... are more likely to unknowingly give away their sensitive personal information to 'phishing' and 'pharming' thieves who specialize in constructing spoof websites and e-mails that mirror the brand they're spoofing - such as and/or other popular online retailers and financial institutions."

Analyzing Zappos' Response

Zappos was quick to communicate after discovering the data breach, but the company's response has been getting mixed reviews.

Francoise Gilbert of the IT Law Group lauds the retailer for sending quick, informal notification. But she doesn't support the company's tactics of shutting down its customer service phone lines and denying access to the website from locations outside the U.S.

"I understand why they did that, because they were overwhelmed," Gilbert says. "But that's not appropriate for a company of their size. Zappos is not a start-up" (See: Zappos Breach Notice: Lessons Learned).

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.