Zappos must pay nine states $106,000 in a settlement reached after a 2012 data breach potentially exposed data on a server that contained information on the online shoe retailer's 24 million customers.
Intruders gained access to parts of the company's internal network in 2012 through one of its servers in Kentucky.
Investigators believed the hackers harvested names, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit card numbers. Because the hackers stole hashes for customer accounts, all access codes to the website were reset, and customers had to create new credentials.
The settlement requires Zappos to pay up within 30 days and hire a third-party provider to audit its security policies and systems. Any shortcomings must be presented to the states along with a plan to correct them.