States Ask Zappos for Breach DetailsState Attorneys General Demand More Information
Connecticut Attorney General George Jepsen and eight other state attorneys general are demanding that Internet retailer Zappos provide details on the company's recent data breach that affected 24 million individuals.
In Jepsen's letter to Zappos' CEO Tony Hsieh, written on behalf of all the attorneys general, he raises concerns about the risk of identity theft, fraud, targeted e-mail phishing or other scams. He also questions the effectiveness of Zappos' measures to protect the confidentiality and security of private information.
"Although this incident has received substantial public attention, we ask that you provide us further information so that we may evaluate the adequacy of the efforts Zappos has made to protect consumers' sensitive information from improper access, as well as its actions in response to this breach," Jepsen writes.
In the letter, the attorneys general demand that Zappos must respond to the questions no later than Jan. 27.
The questions surrounding the breach include:
- How Zappos discovered the intrusion;
- How it determined that no financial or credit card data was compromised;
- The precise nature of the information involved;
- The total number of consumers affected;
- The number of consumers affected in various states;
- How consumer information is stored, including whether it is encrypted and whether it is separated from other data;
- How long consumer information is stored by Zappos and whether any of this information is automatically deleted after a certain amount of time; and
- The cause of the breach.
The attorneys general also inquired about how Zappos notified consumers and government, which according to the letter, remains "unclear." Questions raised regarding notification include:
- How many consumers were potentially affected and how many were notified;
- How consumers were identified as having been affected or entitled to notice;
- How notice was conveyed;
- When consumers were or will be notified;
- The precise content of the notice; and
- When those state Attorneys General who require notice of the breach under their data breach notification statutes will be properly notified of the breach.
In a blog post on Jan. 15, Hsieh explained that a criminal gained access to certain parts of the company's network through one of its servers in Kentucky.
The data breach resulted in unauthorized access to the following customer account information: names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and/or encrypted passwords.
Shortly after the breach was reported, a class action lawsuit was brought against Zappos and its parent company, Amazon.com (see: Zappos Sued Over Data Breach).