Zappos Slapped with Data Breach Settlement

Nevada-based online clothing and shoe retailer has agreed to pay a total of $106,000 and take actions to better protect consumers’ information following a 2012 data breach that placed 24 million consumers' personal data at risk.

The payment was won by attorneys general in nine states: Arizona, Connecticut, Florida, Kentucky, Maryland, Massachusetts, North Carolina, Ohio and Pennsylvania.

Hackers gained unauthorized access to one of Zappos’s computer servers in Kentucky January 2012, and though there was no evidence that full credit or debit card numbers or other payment data was impacted, plenty of personal information was placed at risk. That included customer names, billing and shipping addresses, telephone numbers, the last four digits of credit card numbers, and login credentials (which can be used in brute-force gambits of other accounts).

“Businesses, including online retailers, must appropriately protect their customers' information by guarding against data breaches,” said Massachusetts Attorney General Martha Coakley, in a statement. Under the terms of the settlement, Massachusetts will receive more than $11,000. “Our office will continue to hold retailers accountable for failing to follow their own policies regarding consumer data that they maintain, and make sure that all companies have reasonable data security measures in place.”

Zappos is also required to provide the attorneys general with its current security policy regarding customer information, along with copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard for two years. It also agreed to have a third party conduct an audit of its security of personal information, provide the audit report to the attorneys general, and address any identified deficiencies; and, provide annual training to employees regarding its security policies.

AG Coakley in particular has led multiple investigations into potential violations of the state’s data protection laws. In December 2014, TD Bank agreed to pay $625,000 and strengthen its security practices after losing unencrypted back-up tapes containing personal information for more than 90,000 Massachusetts customers.

What’s Hot on Infosecurity Magazine?