A Texas woman has sued Zappos and parent company Amazon over a weekend incident that left 24 million Zappos customers exposed. Hackers accessed a Zappos server housed in Kentucky, stealing customer names, phone numbers and email addresses.
The Zappos class action alleges the website does not have adequate procedures to protect user information as required under the Fair Credit Reporting Act. The company is also accused of being negligent and breaching user privacy.
It's unclear what effect the hack will have on Zappos customers, as PC World reports no credit card information was obtained. Users were only asked to change their passwords, including those used across the web.
Attorneys for the plaintiff claim the breach will still result in identify theft. The theory is that customers will receive more spam mail that includes links to spoof websites. If accessed, those websites can potentially steal critical private information.
Such large-scale security breaches tend to result in legal action, so the Zappos class action is no surprise. What is surprising is that weak security measures persist on sites that collect private information.
Last year's Sony PlayStation and Epsilon hacks exposed over 100 million people to potential fraud. And a hacker stole 130 million credit and debit card numbers in 2009. Why do such breaches continue to occur?
And why hasn't the government done anything about it? There were a few congressional hearings on the PlayStation breach, but nothing more. Do we need tougher data security laws? Or are lawsuits like the Zappos class action continue unpreventable?