Zappos faces class-action lawsuit on behalf of 24 million customers

Theresa Stevens, a resident of Beaumont, Texas, filed a class-action compliant in federal court in Louisville, Ky., against for failing to protect the personal information of Zappos’s customers.

“Defendant failed to adopt and maintain adequate procedures to protect [personal] information and limit its dissemination only for permissible purposes set forth in the FCRA [Fair Credit Reporting Act]. Defendant’s wrongful actions and/or inaction also constitute common law invasion of privacy by the public disclosure of private facts and common law negligence”, the complaint alleged.

The complaint argued that Stevens and other Zappos’ customers should be compensated for the expenses related to the breach, including “actual damages, economic damages, mental anguish damages, statutory damages and/or nominal damages, exemplary damages, injunctive relief, and attorneys’ fees, litigation expenses and costs.”

In an interview with Infosecurity, Joe Magee, chief technology officer (CTO) with security threat intelligence firm Vigilant, noted that while the hackers did not gain access to the full credit card numbers of Zappos’ customers, they stole enough information to launch phishing attacks that could lead to further compromises. “The biggest risk – if we are talking about addresses, email addresses, phone numbers – is general spam-oriented malware, such as phishing, drive-by downloads, that sort of thing”, he said.

Magee explained that the Zappos' breach highlights security issues that many companies face. First of all, checking data security compliance boxes does not always ensure security. “Compliance isn’t security….Usual the compliance bar is pretty low compared to mitigating risk, such as securing the data layer, application layer, and network layer”, he said.

In addition, the Vigilant CTO recommended that companies use better encryption across the board. “That would have prevented this information from going out into the wild”, he said.

Magee also recommended that companies encourage customers and employees to use different passwords for their various accounts, such as Facebook, Gmail, or bank accounts.

“Many people use the same username and password for a large majority of their personal information. When a breach like this occurs, fraudsters, will launch access campaigns to try their username or email address and password against a number of popular sites to see if that have a cross referenced match”, he said.

What’s hot on Infosecurity Magazine?