The popular online shoe retailer, a division of Amazon, disclosed on Sunday that hackers cracked its customer database to steal records for some 24 million customers.
The data thieves did not get any payment card numbers, because that data were encrypted, as required under the Payment Card Industry Data Security Standard.
But as is a common practice with many online retailers, Zappos did not encrypt its customers' e-mail and shipping addresses, phone numbers, the last four digits of the payment card and the account passwords.
Retailers do not typically encrypt any data beyond what is required under PCI-DSS rules, which is enforced by Visa and MasterCard, because doing so can degrade a website's performance, says Todd Feinman, CEO of database security firm Identity Finder.
read full article: