Josephine Wolff, Slate:
In January 2012, the Amazon-owned online retailer Zappos suffered a major data breach that exposed personal information of about 24 million of the site’s customers, including names, addresses, passwords, and the last four digits of their credit card numbers. The fallout from large-scale data breaches is never resolved quickly, but even by those standards, the settlement that Zappos proposed this fall was a little bit shocking both in how long it took to reach and how little it offered to victims of the breach.
The settlement, which was submitted for approval to the United States District Court for the District of Nevada in September, provides a 10-percent-off code for one Zappos order per affected customer, but the discount has to be used by 11:59 Pacific time on Dec. 31, 2019, or within 60 days of being distributed to affected customers, whichever is later. The deal has already received preliminary approval and is likely to be finalized in the coming weeks. It’s an astonishing step backward in data breach settlements and a disheartening reminder of how easy it is for major companies to still walk away from data breaches with minimal consequences.
No data breach is good, but the Zappos one is relatively minor in terms of the severity of data exposed. Contrary to Wolff’s reporting, passwords themselves were not exposed, only encrypted hashes. Names and addresses aren’t public, per se, but nor are they alarmingly private. Likewise, the last four digits of a credit card appear on receipts, so it’s not like they’re considered extremely sensitive either.
But the combination of these elements can be dangerous. The email account used for a Zappos account is likely tied to other services; home addresses don’t change often, either. Mat Honan’s accounts and computer were compromised, in part, because Apple relied upon the last four digits of a credit card number as a security measure. I’m not sure this is still the case with Apple, but I’ve been asked for the last four digits of my credit card number as a unique identifier several times within the past year by different companies.
Regardless of the actual impact of Zappos’ breach, this settlement is a joke. Those affected will only receive a benefit if they purchase something else with Zappos and, even then, the value of the settlement will be paltry. Zappos basically won a marketing blitz just in time for the holidays. You can opt out or express disapproval if you’re affected by this.
It sure would be great if there were some punitive measure to hold businesses accountable for the security of their vast and unnecessary hoarding of personally-identifiable details.