Please fill in the form below to subscribe to our blog

Zappos Lawsuit Drives Home Need for Ongoing Credential Monitoring

April 12, 2018

Pay attention to this one!

6+ years later, Federal appeals court rules that data breach resulting in the theft of PII, even though the PII had not yet been used in any illegal activity, was harm enough to allow lawsuits to proceed against the company whose systems were compromised! 



On March 8, 2018, the U.S. Court of Appeals for the Ninth Circuit revisited the case of In re, Inc.[1], (“Zappos”), in particular, the issue of Plaintiffs’ standing to sue Zappos for an alleged data breach resulting in the theft of PII. The Court concluded that a certain class of Plaintiffs in Zappos had sufficiently alleged standing based on the risk of identity theft, even without actual subsequent harm.

It is important to note that the Plaintiffs who are the focus of this appeal did not allege that their stolen PII had been misused in any way. Rather, this appeal concerns claims based on the hacking incident itself, not any subsequent illegal activity.

In sum, in January 2012, hackers breached the servers of online retailer Zappos and allegedly stole the names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million Zappos customers. Zappos sent an email to its customers, notifying them of the theft of their PII. The company recommended, “that they reset their account passwords and change the passwords ‘on any other website where [they] use the same or a similar password.” The Zappos Court noted that some customers responded almost immediately by filing class actions in federal district courts across the country.

In concluding that the Plaintiffs had sufficiently demonstrated standing to pursue their claims, the Court relied on its ruling in Krottner v. Starbucks Corp.[2] In Krottner, the Court held that employees of Starbucks had standing to sue the company based on the risk of identity theft they faced after a company laptop containing their personal information was stolen, including social security numbers. The Court concluded that the plaintiffs had “alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data.”[3]

Although there is no allegation in this case that the stolen information included social security numbers, as there was in Krottner, the Zappos Court agreed with the Plaintiffs that the information taken in the data breach still gave hackers the means to commit fraud or identity theft, as Zappos itself effectively acknowledged by urging affected customers to change their passwords on any other account where they may have used “the same or a similar password.”


Although there are several takeaways for the Ninth Circuit Court’s decision, MSPs should use this ruling to reinforce why they need to be monitoring for compromised data!

  1. This demonstrates why your customers need to know about and monitor for their compromised data. Need I say more?
  2. It’s speculated that compromised credentials led to the breach of Zappos’ servers located in Kentucky. Robust password policy enforcement and controls focused on eliminating password reuse while adding in complexity and multi-factor are a must!

Not a Partner yet?  Ask for a demo of Dark Web ID™ to see how you can convert prospects, protect your customers and compel them to purchase or upgrade to new services!

[1] In re, Inc., No. 16-16860, 2018 WL 1189643 (9th Cir. Mar. 8, 2018).

[2] 628 F.3d 1139 (9th Cir. 2010).

[3] 628 F.3d at 1143.