Privacy, Shoes, Technology, Texas

Zappos Suffers a Data Breach, and the Other Shoe Drops with a Lawsuit

Shoes. Oh my God, shoes.

On Monday, my roommate came home griping that his account, which he had not used in a year, had been hacked. Instead of feeling sympathetic, I started wondering how I might write about it. Data breaches are a dime a dozen these days.

It seems almost every company loses control of their customers’ sensitive data at some point. Someone almost always sues after the news breaks. But the lawsuits are rarely successful, unless customers can show real harm caused by the breach.

Most often, companies do not give up full credit card or Social Security numbers. This week, Zappos said it only suffered unauthorized access to somewhat less sensitive information. It’s a bit unnerving, but not the end of the world.

Did that stop some opportunistic consumer from taking action against the online shoe retailer?

Of course not. And we didn’t have to wait very long. A Texas woman filed a class-action lawsuit against Amazon, which owns Zappos, the same day the breach was announced. Is her lawsuit premature, vague, and a bit silly? Probably. Will it go anywhere? Probably not. But c’mon, you gotta love melodramatic, eager-beaver, consumer litigation.

So what, exactly, did Zappos lose? And how many people’s data was compromised? (Hint: it’s a lot.) Let’s mosey on past the jump and find out….

Bloomberg covered the story yesterday:

Theresa Stevens, a resident of Beaumont, Texas, said that as a result of the breach, she and other Zappos customers are more likely to receive e-mails from spoof websites and unknowingly give away personal information to hackers, according to her complaint filed Jan. 16 in federal court in Louisville, Kentucky. The customers will also incur expenses for credit monitoring and suffer emotional distress and loss of privacy, according to the complaint.

Stevens seeks to represent 24 million Zappos customers whose personal information was compromised, according to the complaint. She received an e-mail from the online shoe retailer Jan. 16 saying her information was stolen as part of a data breach. Hackers gained access to’s internal network through unprotected computer servers located in Shepherdsville, Kentucky, according to the complaint.

Mm-hmm. GFL, Theresa. I’m not even going to touch the problematic logistics involved in litigating a class of 24 million people.

As far as receiving emails from “spoof websites,” I think we are all already up that creek without a paddle. The 21st century spam train has left the station, and the whole planet is on it.

But did the data breach really leave consumers vulnerable to more hacker crime?

Well, let’s take a look at the (surprisingly witty and matter-of-fact) email that Zappos sent its customers on Monday:

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).


The database that stores your critical credit card and other payment data was NOT affected or accessed.

Yes, it’s scary to learn that companies we decide to trust with our money are not impenetrable. Even the biggest, most powerful, tech-savvy ones. But this current situation, as it appears to be, really is not that bad.

The company’s compliance and legal teams should be proud of how they handled the situation. They notified customers quickly, clearly, and efficiently.

A hacker now might know a bunch of names, addresses, e-mails, and phone numbers. But that’s not exactly top-secret, classified information. The last four digits of your credit card number are available to anyone who picked up any receipt you have ever thrown away.

Sometimes data breaches do result in costly settlements. But not for piddly stuff like this. We’ve said it before, but if you are the victim of a data breach, don’t panic. Sit down, and simply change your passwords.

Nothing is f***ed here, dude. Nothing is f***ed. Sued by Customer Over Hackers’ Theft of Zappos Data [Bloomberg BusinessWeek]

(hidden for your protection)

comments sponsored by

Show all comments