Zappos agrees to pay $106,000 to settle its 2012 data breach
January 13, 2015 01:35 PM
Settling the lawsuits that followed Zappos.com Inc.’s 2012 data breach will cost the Amazon.com Inc.-owned online retailer $106,000.
Zappos suffered a breach in January 2012 after criminals accessed one of the retailer’s computer servers. An investigation after the breach found the server contained customer names, billing and shipping addresses, telephone numbers, the last four digits of credit card numbers, and shoppers’ login credentials. There was no evidence that the criminals accessed consumers’ full credit or debit card numbers or other payment data.
Following the breach, nine states—Arizona, Connecticut, Florida, Kentucky, Maryland, Massachusetts, North Carolina, Ohio and Pennsylvania—sued the online retailer for exposing up to 24 million customers’ personal information.
“When you entrust your personal information to a business, you expect that business to keep it safe,” says North Carolina Attorney General Roy Cooper. “Businesses must take the threat of a security breach seriously, and they must do more to protect consumers’ data.”
In additional to the payouts, Zappos also agreed to:
- Maintain and comply with information security policies and procedures;
- Provide the attorneys general with its current security policy regarding customer information;
- Provide the attorneys general copies of reports demonstrating compliance with the Payment Card Industry Data Security Standard for two years;
- Hire a third party to conduct an audit of its security of personal information, provide the audit report to the attorneys general, and address any deficiencies; and
- Provide annual training to employees regarding security policies.
In addition to the financial hit, the breach may also have changed some shoppers’ impressions of the retailer. 38% of consumers in a recent KPMG survey said a security breach has a negative impact on how they perceive companies that have suffered a breach.
Moreover, 27% of respondents said they will only shop at a store that previously experienced a cyberattack if they cannot find the product they’re looking for elsewhere and 8% refuse to shop at those merchants.