January 16, 2012

Zappos announced today it is the latest target
of a massive data breach

Move over Sony. The Amazon-owned online shoe retailer Zappos is in the process of notifying 24 million customers that hackers may have gained access to their personal information from online accounts at Customers’ names, email addresses, billing and shipping addresses, phone numbers, the last four digits of their credit card numbers, and their scrambled passwords may have been illegally accessed by hackers.

Zappos has not yet indicated when the breach occurred, but its CEO, Tony Hsieh, has informed its employees that it has recently been “the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky.” Hsieh indicated, however, that “critical card data and other payment data was not affected or accessed.”

The online shoe retailer has reset all passwords to the online accounts and has requested that its customers create a new password. Zappos is also recommending that customers change passwords on any other online accounts or websites where the customers may use the same or similar password. Affected individuals were also warned about phishing emails asking for personal information.

This is yet another example of the new trend in data breach notifications. Although customers’ full credit card number or banking information was not allegedly accessed, Zappos, like many other companies, has chosen to notify affected individuals of the incident. To the extent the same Zappos password is used for another online account, the hacker could certainly gain access to the individuals’ credit card or financial information through such other account. Zappos’ notification is an attempt to mitigate damages arising out of this data breach and any direct loss to its customers which could (and most likely will) result in litigation against Zappos.

For more information, please contact:

James J. Giszczak



Dominic A. Paluzzi


or any of our Data Privacy and Network Security attorneys by clicking on the link below:

Data Privacy and Network Security

McDonald Hopkins counsels businesses and organizations regarding all aspects of data privacy and network security, including proactive compliance with the numerous state, federal and private data security regulations (including PCI DSS and HITECH) relative to personal information and protected health information, training of employees and preventative measures to decrease the risk of data theft. We also counsel businesses and organizations through the data breach response process and coordinate notifications to affected individuals and state attorneys general, as well as advising on media related issues. Our attorneys can help you properly assess your risks to ensure compliance. After you complete the brief McDonald Hopkins Data Privacy and Network Security Review, your company will be provided with an assessment of the required areas of compliance which have the greatest need of attention and improvement.

Carl J. Grassi, President
600 Superior Avenue, East, Suite 2100, Cleveland, Ohio 44114