A federal appellate court has revived a class-action lawsuit against Zappos stemming from a 2012 data breach that resulted in the theft of 24 million customers’ information, including their email addresses, passwords, phone numbers and last four digits of their credit cards.
In the ruling, issued Thursday, a three-judge panel of the 9th Circuit Court of Appeals rejected Zappos’ argument that the consumers didn’t establish that they were injured by the data breach.
“Plaintiffs allege that the type of information accessed in the Zappos breach can be used to commit identity theft, including by placing them at higher risk of ‘phishing’ and ‘pharming,’ which are ways for hackers to exploit information they already have,” the appellate judges wrote.
The judges added that the stolen data “gave hackers the means to commit fraud or identity theft.”
The appellate panel also noted that two of the consumers who were named in the suit said that hackers “took over their AOL accounts and sent advertisements to people in their address books.”
“Though not a financial harm, these alleged attacks further support plaintiffs’ contention that the hackers accessed information that could be used to help commit identity fraud or identity theft,” the opinion states.
The legal battle dates to 2012, when consumers whose information was stolen sued Zappos for allegedly violating its contract with users by failing to keep their personal information secure. U.S. District Judge Robert Jones in Nevada sided with Zappos in 2016, ruling that the consumers’ allegations, if true, didn’t establish that they suffered a concrete injury.
An “increased threat of identity theft and fraud stemming from the Zappos’s security breach does not constitute an injury-in-fact,” Jones wrote.