GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Elavon versus Cisero's dispute could have major repercussions


Industry Update

Will PayPal hit critical mass with recent deals? hit with breach, lawsuit

Visa says PIN unnecessary for EMV in U.S.

A European perspective on U.S. EMV

Selling Prepaid

Prepaid in brief

N.J. unclaimed property ruling favors prepaid, sort of

nFinanSe, InComm wrangle over reload network


The CPP exam - before, during and after

Steve Norell
US Merchant Services Inc.

Big changes ahead

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Putting the right tools into your tool kit

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

Strategic planning nuts and bolts

Vicki M. Daughdrill
Small Business Resources LLC

Give your goals some oomph!

Adam Moss and Jeffrey Shavitz
Charge Card Systems Inc.

Turn no into knowledge

Jeff Fortney
Clearent LLC

Are your marketing materials compliant?

Peggy Bekavac Olson
Strategic Marketing

Company Profile

CSR - Compliance Solutions and Resources

New Products

A mobile app for Windows

Aircharge Windows Mobile
Cynergy Data LLC


You, too, can become a CPP


10 Years ago in
The Green Sheet


Resource Guide



2012 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

February 13, 2012  •  Issue 12:02:01

previous next hit with breach, lawsuit

Online fashion retailer and subsidiary revealed in on Jan. 15, 2012, that over 24 million of its customer accounts were breached. said a fraudster was able to obtain names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers listed with accounts, and encrypted passwords.

A class-action lawsuit on behalf of customers was subsequently filed Jan. 16, 2012, in the Western District of Kentucky in Louisville.

Tony Hsieh, Chief Executive Officer, emphasized that the database where credit card and other payment data is stored was not breached. "We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," he wrote to employees and customers following the breach. "We are cooperating with law enforcement to undergo exhaustive investigation." disconnected its customer service phone lines following the breach, electing to answer customer inquiries into the breach only by email. Hsieh explained, "We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume. (If 5 percent of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)" urged customers to change passwords on its site and on any other sites where they use the same passwords. "We've spent over 12 years building our reputation, brand and trust with our customers," Hsieh said. "It's painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed."


The class-action lawsuit filed in Kentucky said the breach not only forced customers to take the time to reset passwords on and on other sites, but it also represented an invasion into customer privacy that may have future repercussions. "[P]laintiff and class members now face a greater risk of identity theft - including, but not limited to, identity theft from 'phishing' and 'pharming,'" according to the suit.

The complaint charges with willful and negligent violation of the Fair Credit Reporting Act, along with negligence and invasion of privacy by public disclosure of private facts. The class action seeks compensation for customers who, among other things, lost the use of passwords and must deal with credit monitoring and identity theft insurance issues, as well as damages for anxiety and emotional distress caused by the breach.

The complaint also asks for other damages to punish's alleged wrongful conduct and a requirement that submit to periodic compliance audits to ensure cardholder data security is maintained.

When reached for comment, Senior Public Relations Director Diane Coffey said, "We are aware of the lawsuit. Our company policy is not to comment on pending litigation. Every single department in our company is currently focused on assisting customers." At press time, plaintiff attorneys had not responded to requests for comment.

For additional news stories, please visit and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios