Move over Sony. The Amazon-owned online shoe retailer Zappos is in the process of notifying 24 million customers that hackers may have gained access to their personal information from online accounts at zappos.com. Customers’ names, email addresses, billing and shipping addresses, phone numbers, the last four digits of their credit card numbers, and their scrambled passwords may have been illegally accessed by hackers.
Zappos has not yet indicated when the breach occurred, but its CEO, Tony Hsieh, has informed its employees that it has recently been “the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky.” Hsieh indicated, however, that “critical card data and other payment data was not affected or accessed.”
The online shoe retailer has reset all passwords to the online accounts and has requested that its customers create a new password. Zappos is also recommending that customers change passwords on any other online accounts or websites where the customers may use the same or similar password. Affected individuals were also warned about phishing emails asking for personal information.
This is yet another example of the new trend in data breach notifications. Although customers’ full credit card number or banking information was not allegedly accessed, Zappos, like many other companies, has chosen to notify affected individuals of the incident. To the extent the same Zappos password is used for another online account, the hacker could certainly gain access to the individuals’ credit card or financial information through such other account. Zappos’ notification is an attempt to mitigate damages arising out of this data breach and any direct loss to its customers which could (and most likely will) result in litigation against Zappos.
For more information, please contact:
James J. Giszczak248.220.1354
Dominic A. Paluzzi248.220.1356
or any of our Data Privacy and Network Security attorneys by clicking on the link below:
Data Privacy and Network Security
McDonald Hopkins counsels businesses and organizations regarding all aspects of data privacy and network security, including proactive compliance with the numerous state, federal and private data security regulations (including PCI DSS and HITECH) relative to personal information and protected health information, training of employees and preventative measures to decrease the risk of data theft. We also counsel businesses and organizations through the data breach response process and coordinate notifications to affected individuals and state attorneys general, as well as advising on media related issues. Our attorneys can help you properly assess your risks to ensure compliance. After you complete the brief McDonald Hopkins Data Privacy and Network Security Review, your company will be provided with an assessment of the required areas of compliance which have the greatest need of attention and improvement.
Carl J. Grassi, President
600 Superior Avenue, East, Suite 2100, Cleveland, Ohio 44114
IRS CIRCULAR 230 DISCLOSURE:
To ensure compliance with requirements imposed by the
Internal Revenue Service, we inform you that any tax advice
contained in this communication (including any attachments),
was not intended or written to be used, and cannot
be used, by any taxpayer for the purpose of (1) avoiding
any penalties under the Internal Revenue Code or (2) promoting,
marketing or recommending to another party any
transaction matter addressed herein.
© 2014 McDonald Hopkins LLC All Rights Reserved.
This Alert is designed to provide current information for our clients, friends
and their advisors regarding important legal developments. The foregoing discussion
is general information rather than specific legal advice. Because it is
necessary to apply legal principles to specific facts, always consult your legal
advisor before using this discussion as a basis for a specific action.