Zappos data breach settlement: users get 10% store discount, lawyers get $1.6m

Long-time readers will remember the 2012 Zappos breach that impacted 24 million of their online customers. The breach and its resulting litigation have been covered on this site previously, including Zappos’s failure in March of this year to get the Supreme Court to hear their appeal of a Ninth Circuit decision that had allowed the case to go forward. With no help from the Supreme Court, the case moved towards settlement. And now Catalin Cimpanu reports: Zappos users who had their data stolen in a 2012 data breach will receive only a meager 10% discount to use on the Zappos online store, as part of a proposed class-action lawsuit settlement. Their lawyers, on the other hand, are set to receive $1,620,000 in attorneys’ fees and other legal costs, according to a preliminary settlement filed last month. Read more on ZDNet.

Supreme Court rejects Amazon’s Zappos on data breach lawsuit

Melissa Locker reports: In 2012, 24 million Zappos customers found out that hackers had accessed their personal information. Since then, customers have fought to sue Zappos, Amazon’s online shoe retailer, over the data breach. Now, the U.S. Supreme Court has rejected an appeal, meaning they can move forward with a class-action lawsuit against the company for the breach that left them vulnerable to identity theft and fraud. Zappos was trying to appeal a ruling by a San Francisco-based appeals court that allowed the case to continue, even though there was little evidence of actual harm to consumers. Read more on FastCompany.

Ninth Circuit Revives Data Breach Claims Against Zappos

In January, 2012, Zappos announced that they were notifying more than 24 million consumers to change their passwords following  a hack. In the months that followed, a to-be-predicted lawsuit was filed, and state attorneys general started investigating. Eventually, Zappos settled with states, and the class-action lawsuit was dismissed in 2015. Whew, right? Not so fast, though. Ross Todd reports that the consumer lawsuit has been revived: A federal appellate court has revived claims against online shoe retailer Inc. related to a 2012 data breach where hackers stole the personal information of more than 24 million customers. The U.S. Court of Appeals for the Ninth Circuit on Thursday found that the “imminent” risk of identity theft from the Zappos breach was enough to establish standing to sue for those customers who had not yet been the victim of fraud. The decision reversed a ruling from U.S. District Judge Robert Clive Jones of the District of Nevada who dismissed the claims from plaintiffs who hadn’t alleged any instances of identity theft at the time of the suit. Read more on The Recorder.

Zappos proposed data breach class action litigation dismissed

Kathryn Sylvia reports: Continuing the growing trend of dismissing data breach cases when there is no evidence of actual harm, the United States District Court for the District of Nevada last week dismissed a class action case filed against Zappos related to a 2012 hacking incident. Following the hacking incident, Zappos provided notice of the data breach to over 24 million customers that their names, emails addresses, addresses, telephone numbers, last four digits of their credit card numbers and account numbers and passwords were compromised. Read more on Data Privacy and Security Insider.

Zappos data breach settlement falls apart over attorneys’ fees

Back in January 2012, Zappos, which is owned by Amazon, disclosed that it had been hacked and that they were notifying more than 24 million customers. Less than one week later, the first lawsuit had been filed. Shortly thereafter, state attorneys general opened their own investigation into the breach. In January 2015, Zappos settled with the nine state attorneys general. Things did not go as well with the consumer lawsuit, however.  Zappos tried – unsuccessfully – to get the lawsuits dismissed on the basis of the arbitration clause in its user agreement. After that motion failed,  they reached a tentative settlement with the plaintiffs on everything but attorney fees, with a mediation session on that issue scheduled for November 12, 2014. The mediation session did not take place, however, because when Zappos counsel saw how far apart the plaintiffs’ requested attorney fees were from what Zappos considered reasonable, they felt there was no point in a mediation session. So instead of finalizing any agreement, Zappos decided to litigate the case and on January 30, 2015 filed a renewed motion to dismiss the plaintiffs’ second amended complaint. And although plaintiffs moved the court to enforce a class action settlement, the court held that it could not enforce one because of the lack of agreement on the attorneys’ fees, which the court considered a material and essential component of the agreement. Courtney Coren of reports that the Nevada federal judge granted a motion by the plaintiffs to extend the amount of time they have to issue a response to his ruling of March 27. — The Zappos Data Breach Class Action Lawsuit is In Re Zappos, Inc., Security Breach Litigation, Case No. 3:12-cv-00325-RCJ-VPC, filed in the U.S. District Court of the District Nevada.

Zappos settles charges with nine states over data breach

There’s been a settlement of charges stemming from a breach disclosed in 2012 that affected 24 million consumers. The settlement requires the online shoe store to guard data, pay $106,000 to NC and 8 states Raleigh: Nevada-based online retailer will take steps to better protect consumers’ personal information, Attorney General Roy Cooper announced Wednesday. “When you entrust your personal information to a business, you expect that business to keep it safe,” Cooper said. “Businesses must take the threat of a security breach seriously, and they must do more to protect consumers’ data.” Zappos will improve protections for customer data under a settlement announced today between the retailer and attorneys general for nine states including North Carolina.  The settlement follows an investigation into a 2012 data breach that released the names, billing and shipping addresses, email addresses, telephone numbers and login credentials of Zappos’ shoppers. Zappos will also pay the settling states $106,000, including $11,111 to North Carolina to help fund consumer protection efforts in the state. Other states participating in the case include Arizona, Connecticut, Florida, Kentucky, Maryland, Massachusetts, Ohio, and Pennsylvania. Under the settlement, Zappos is required to take a number of steps to better secure customers’ information and help guard against future hackings or security breaches.  Zappos must: Maintain and comply with information security policies and procedures; Provide the attorney generals with its current security policy regarding customer information; Provide the attorney generals copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard for two years; Have a third party conduct an audit of its security of personal information, provide the audit report to the attorneys general, and address any identified deficiencies; and Provide annual training to employees regarding its security policies. “Consumers can also protect themselves through common-sense steps like using a different password for each online account and a low-limit credit card for online purchases,” Cooper said.  “It’s also wise to check your credit card statements and your credit report regularly so you can catch problems quickly.” Consumers can get one free credit report per year from each of the three credit reporting agencies at or by calling 1-877-322-8228. SOURCE: Attorney General Roy Cooper

How Zappos’ User Agreement Failed In Court and Left Zappos Legally Naked

Eric Goldman writes: In January, Zappos (part of $AMZN) announced a massive data security breach affecting 24 million consumers.  As typically happens in these situations, plaintiffs’ class action lawyers swarmed over Zappos for the breach, filing dozens of lawsuits.  Zappos tried to send the lawsuits to arbitration based on an arbitration clause in its user agreement.  Recently, a federal court struck down’s user agreement, denying Zappos’ arbitration request.  This is an unfortunate ruling for Zappos, because its contract–now dead–would have been quite helpful in combating this high-profile and potentially very expensive data security breach lawsuit.   More importantly, the mistakes Zappos made in its user agreement–though common throughout the Internet–are completely and easily avoidable.  This post will make some suggestions for how to avoid Zappos’ fate. Read more on Forbes.

(Update) Attorneys General Seek Info about Zappos breach

Concerned about a recent hacking attack that may have affected more than 24 million customers, Attorney General George Jepsen, with support from nine other states, has asked, Inc. about its efforts to protect private customer information and its response to the breach. The Attorney General wrote to the chief executive officer of the on-line retailer’s Nevada headquarters Friday seeking information about how the breach occurred, how affected customers were identified and notified and any corrective plans developed in response. “This incident raises serious concerns about the possibility of fraud and targeted e-mail ‘phishing’ or other scams, as well as questions about the effectiveness of the company’s measures to protect the confidentiality and security of private information that it receives from consumers,” Attorney General Jepsen wrote. Published reports said the hacking affected parts of the company’s internal network and systems, compromising a wide array of personal customer information, including names, billing and shipping addresses, e-mail addresses, phone numbers and encrypted passwords. Jepsen wrote on behalf of Connecticut and Attorneys General in nine other states: Florida, Kentucky, Massachusetts, North Carolina, New York and Pennsylvania among them. Two states have laws prohibiting disclosure of investigations. The company was asked to forward its responses to Assistant Attorney General Matthew Fitzsimmons, head of the Office’s data privacy task force. The task force was created by Jepsen last year in response to a number of data breach and privacy cases. Fitzsimmons is handling this matter for the Attorney General with Associate Attorney General Perry Zinn-Rowthorn. Source: Connecticut Attorney General George Jepsen

Customer data breach draws federal lawsuit against Nevada-based Zappos, parent company Amazon

Associated Press reports: Online retailers and are being sued in Kentucky by a Texas woman alleging that she and millions of other customers were harmed by the release of personal account information. […] Attorneys for plaintiff Theresa D. Stevens of Beaumont, Texas, are seeking class-action status on behalf of 24 million customers for what the lawsuit alleges was a violation of the federal Fair Credit Reporting Act. Read more from AP in the Washington Post. Harmed how? From the story, there’s no actual harm alleged at this point other than an increased risk of harm, which courts have generally not recognized, and emotional distress, which they also have not recognized.  I guess we’ll have to wait and see if this lawsuit also gets dismissed.

Zappos hacked; notifying 24+ million and customers of breach and to reset passwords

Online retailer Zappos has been hacked.  Its CEO, Tony Hsieh, posted a copy of an email notification explaining the breach to all employees with a copy of the email notification sent to customers: The following email was sent to our employees today: Subject: Important – Security Dear Zappos Employees – Please set aside 20 minutes to carefully read this entire email. We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with the FBI to undergo an exhaustive investigation. Because of the nature of the investigation, the information in this email is being sent a bit more formally, and unfortunately we are not able to provide any more details about specifics of the attack beyond what is in this email and the link at the end of this email, but we can say that THE SECURE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED. The most important focus for us is the safety and security of our customers’ information. Within the next hour, to ensure a greater level of security, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We’ve already reset and expired their existing passwords.) Here is the email that our customers will be receiving: ————————————————————————- Subject: Information on the site – please create a new password First, the bad news: We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password). THE BETTER NEWS: The secure database that stores your critical credit card and other payment data was NOT affected or accessed. SECURITY PRECAUTIONS: For your protection and to prevent unauthorized access, we have expired and reset your password. Please see the link at the end of this message to create a new password. As always, please remember that will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information. We also recommend that you change your password on any other web site where you use the same or a similar password. PLEASE CREATE A NEW PASSWORD: We have expired and reset your password. Please create a new password by clicking on the link below:  http:// [we will provide a secure, unique link for each customer] We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at [email protected] ————————————————————————- We have also created a web page that we will continue to update as we learn more about what questions customers have: In order to service as many customer inquiries as possible, we will be asking all employees at our headquarters, regardless of department, to help with assisting customers. Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email. We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.) We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident. I supposed the one saving grace is that the secure database that stores our customers’ critical credit card and other payment data was not affected or accessed. Over the next day or so, we will be training everyone on the specifics of how to best help our customers through their password change process now that their passwords have been reset and expired. We need all hands on deck to help get through this. Thanks everyone. Tony Hsieh CEO –   What I can’t figure out from the above is whether they are indirectly saying that they stored full credit card numbers on another server.  I hope they clarify this in future statements. The same notification was sent to employees.