Online retailer Zappos this week settled with attorneys general in nine states, agreeing to pay out $106,000 stemming from a data breach in 2012 that exposed 24 million customers’ information.
Massachusetts Attorney General Martha Coakley filed the settlement in Suffolk Superior Court on Wednesday, as did AGs from Arizona, Connecticut, Florida, Kentucky, Maryland, North Carolina, Ohio and Pennsylvania.
Under the agreement, the Las Vegas company must also take necessary actions to better protect its customers’ information going forward.
“Our office will continue to hold retailers accountable for failing to follow their own policies regarding consumer data that they maintain, and make sure that all companies have reasonable data security measures in place,” Coakley said in a press release on Wednesday.
Each state is getting roughly the same cut of the $106,000. Massachusetts, which had approximately 740,000 residents affected will receive more than $11,000.
As part of the agreement, Zappos will have to maintain and comply to its information security policies and provide each attorney general with those policies and how they pertain to customer information. The company also must also undergo a third party audit and provide that audit report to the attorney generals, along with copies of reports that illustrate how it complies to the Payment Card Industry Data Security Standard, for two years.
In addition, to bolster security awareness the e-merchandiser must provide annual training to its 1,500 employees.
Attackers initially infiltrated the company’s network in January 2012 via a server in Kentucky. Files on that server were ultimately discovered to contain customers’ names, billing and shipping addresses, telephone numbers, their log-in credentials and the last four digits of their credit card numbers. Following the breach the company, which sells clothing, accessories and other merchandise aside from shoes, expired all affected users’ passwords and required them to reset them.
According to Coakley aside from the last four digits of their cards, there was no other payment card information — no full debit or credit card numbers — implicated in the breach.