Thursday, January 19, 2012
Online fashion retailer and Amazon.com subsidiary Zappos.com revealed Jan. 15, 2012, that over 24 million of its customer accounts were breached. Zappos.com said a fraudster was able to obtain names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers listed with accounts, and encrypted passwords. A class-action lawsuit on behalf of Zappos.com customers was subsequently filed Jan. 16, 2012, in the Western District of Kentucky in Louisville.
Tony Hsieh, Zappos.com Chief Executive Officer, emphasized that the database where credit card and other payment data is stored was not breached. "We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," he wrote to employees and customers following the breach. "We are cooperating with law enforcement to undergo exhaustive investigation." Zappos.com disconnected its customer service phone lines following the breach, electing to answer customer inquiries into the breach only by email. Hsieh explained, "We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume. (If 5 percent of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)"
Zappos.com urged customers to change passwords on its site and on any other sites where they use the same passwords. "We've spent over 12 years building our reputation, brand and trust with our customers," Hsieh said. "It's painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed."
The class-action lawsuit filed in Kentucky said the breach not only forced customers to take the time to reset passwords on Zappos.com and on other sites, but it also represented an invasion into customer privacy that may have future repercussions. "[P]laintiff and class members now face a greater risk of identity theft – including, but not limited to, identity theft from 'phishing' and 'pharming,'" according to the suit.
The complaint charges Zappos.com with willful and negligent violation of the Fair Credit Reporting Act, along with negligence and invasion of privacy by public disclosure of private facts. The class action seeks compensation for customers who, among other things, lost the use of passwords and must deal with credit monitoring and identity theft insurance issues, as well as damages for anxiety and emotional distress caused by the breach. The complaint also asks for other damages to punish Zappos.com's alleged wrongful conduct and a requirement that Zappos.com submit to periodic compliance audits to ensure cardholder data security is maintained.
When reached for comment, Zappos.com Senior Public Relations Director Diane Coffey said, "We are aware of the lawsuit. Our company policy is not to comment on pending litigation. Every single department in our company is currently focused on assisting customers."
At press time, plaintiff attorneys had not responded to requests for comment.
In other news, the San Francisco Chronicle reported Jan. 13, 2012, that international cyber thieves in Russia, China, Iran and at least seven other countries had access to the computers at City College of San Francisco since 1999. So far no identity theft cases have been linked to the breach, the Chronicle said. The college is reportedly still assessing the damage and forming a public response to the breach. By deadline, a college spokesman had not returned a request from The Green Sheet for an update to the investigation.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.