Zappos.com, the online shoe retailer, is in the process of contacting its 24 million customers with information about this month's security breach, in which a hacker gained access to one of the company's servers.
The attorneys general from 10 states say they would like a little more information too. The state officials have written to the Zappos.com CEO, seeking information about how the breach occurred, how affected customers were identified and notified and any corrective plans developed in response.
“This incident raises serious concerns about the possibility of fraud and targeted e-mail ‘phishing’ or other scams, as well as questions about the effectiveness of the company’s measures to protect the confidentiality and security of private information that it receives from consumers,” said Connecticut Attorney General George Jepsen.
Jepsen wrote the letter on behalf of Connecticut and attorneys general in nine other states: Florida, Kentucky, Massachusetts, North Carolina, New York and Pennsylvania. Two states have laws prohibiting disclosure of investigations.
Internal networks and system affected
Published reports said the hacking affected parts of the company’s internal network and systems, compromising a wide array of personal customer information, including names, billing and shipping addresses, e-mail addresses, phone numbers and encrypted passwords.
The company said the server that contains customers' credit card information was not compromised. Zappos.com CEO Tony Hsieh said the company reset customers' passwords, to prevent any unauthorized access to accounts.
Security experts say the breach is very serious, however, because hackers got access to a wide range of data that could help them identify individual consumers and make it easier to steal their identities.
