States Ask Zappos for Breach Details

State Attorneys General Demand More Information
States Ask Zappos for Breach Details

Connecticut Attorney General George Jepsen and eight other state attorneys general are demanding that Internet retailer Zappos provide details on the company's recent data breach that affected 24 million individuals.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

In Jepsen's letter to Zappos' CEO Tony Hsieh, written on behalf of all the attorneys general, he raises concerns about the risk of identity theft, fraud, targeted e-mail phishing or other scams. He also questions the effectiveness of Zappos' measures to protect the confidentiality and security of private information.

"Although this incident has received substantial public attention, we ask that you provide us further information so that we may evaluate the adequacy of the efforts Zappos has made to protect consumers' sensitive information from improper access, as well as its actions in response to this breach," Jepsen writes.

In the letter, the attorneys general demand that Zappos must respond to the questions no later than Jan. 27.

The questions surrounding the breach include:

  • How Zappos discovered the intrusion;
  • How it determined that no financial or credit card data was compromised;
  • The precise nature of the information involved;
  • The total number of consumers affected;
  • The number of consumers affected in various states;
  • How consumer information is stored, including whether it is encrypted and whether it is separated from other data;
  • How long consumer information is stored by Zappos and whether any of this information is automatically deleted after a certain amount of time; and
  • The cause of the breach.

The attorneys general also inquired about how Zappos notified consumers and government, which according to the letter, remains "unclear." Questions raised regarding notification include:

  • How many consumers were potentially affected and how many were notified;
  • How consumers were identified as having been affected or entitled to notice;
  • How notice was conveyed;
  • When consumers were or will be notified;
  • The precise content of the notice; and
  • When those state Attorneys General who require notice of the breach under their data breach notification statutes will be properly notified of the breach.

Breach Details

In a blog post on Jan. 15, Hsieh explained that a criminal gained access to certain parts of the company's network through one of its servers in Kentucky.

The data breach resulted in unauthorized access to the following customer account information: names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or encrypted passwords.

Shortly after the breach was reported, a class action lawsuit was brought against Zappos and its parent company, (see: Zappos Sued Over Data Breach).

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.