LAS VEGAS — Online retailers Amazon.com and Zappos.com are being sued in Kentucky by a Texas woman alleging that she and millions of other customers were harmed by the release of personal account information.
Officials representing Zappos in Nevada and parent company Amazon in Seattle declined to comment on the lawsuit filed in U.S. District Court in Louisville.
The lawsuit was filed last week after Zappos chief executive Tony Hsieh alerted employees and customers by email Sunday that names, phone numbers and email addresses of the shoe retailer’s customers may have been accessed in a hacker attack. The company said customers’ credit card and payment information weren’t stolen.
Zappos urged customers to reset passwords to accounts and any other websites where they use similar passwords.
Zappos said the hacker gained access to its internal network and systems through one of the company’s servers in Kentucky. Zappos is based in Henderson, Nev., and is owned by Amazon.com.
Attorneys for plaintiff Theresa D. Stevens of Beaumont, Texas, are seeking class-action status on behalf of 24 million customers for what the lawsuit alleges was a violation of the federal Fair Credit Reporting Act.
“There’s no question there’s been a breach here. Passwords had to be changed,” said Ben Barnow, a Chicago-based plaintiff’s lawyer working with Mark Gray of Louisville in the case.
Barnow said he feared the pilfered personal data could be sold by the hacker.
“I think it’s clear this type of information is for sale,” he said. “The risk is hanging out there.”
The civil negligence lawsuit seeks unspecified millions of dollars in compensatory and exemplary damages for emotional distress and loss of privacy, along with a court order for the company to pay for customer credit monitoring and identity theft insurance and periodic audits to ensure customer data is secure.
Zappos representative Diane Coffey in Boston and Amazon spokeswoman Mary Osako in Seattle said both companies have policies against commenting on litigation.