A putative class action lawsuit has been filed in federal court in Louisville, Ky., in connection with a hacking incident over the weekend that led to the access of personal information on 24 million customers of Zappos.com, a unit of Amazon.com Inc.
According to the lawsuit, Theresa D. Stevens vs. Amazon.com Inc., DBA Zappos.com, filed Monday in U.S. District Court for the Western District of Kentucky in Louisville, the thieves gained access to the online shoe retailer's internal network through servers located in Shepherdsville, Ky.
The Zappos data stolen included names, account numbers, passwords, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit cards used to make purchases. A letter describing the hacking was sent to 24 million customers by Zappos CEO Tony Hsieh on Monday, according to the lawsuit.
The suit alleges that Seattle-based Amazon “failed to adopt and maintain adequate procedures to protect such information and limit its dissemination only for the permissible purposes set forth” in the Fair Credit Reporting Act.
“Defendant’s wrongful actions and/or inaction also constitute common law invasion of privacy by the public disclosure of private facts and common law negligence,” according to the suit.
As a result of the theft, class members “are more likely to unknowingly give away their sensitive personal information” to “thieves who specialize in constructing spoof websites and emails that mirror the brand they’re spoofing—such as Zappos.com and/or other popular online retailers and financial institutions,” according to the suit, which accuses Amazon of willful and negligent violations of the FCRA, negligence and invasion of privacy by public disclosure of private facts.
It seeks actual, economic, mental anguish, statutory, exemplary and/or nominal damages, and injunctive relief and attorney fees, litigation expenses and costs.