Did Zappos Get a Lucky Break in Its Data Breach?

We have been greatly impressed by the way Zappos has managed its data breach so far. The retailer did a great job of communicating what happened to the public and of providing clear instructions to its customers on what they needed to do to help get things back to normal. And by all appearances, things did get back to normal five days after the breach was announced.

But it could have been worse, much worse. See, Zappos seems to have been fortunate (or was it well prepared?) that the hackers did not get access to the retailer’s database that stores its customers’ credit card and other payment-related information. In the event, a mere change of the customer passwords was sufficient to cure the problem. If the credit card data were hacked, however, the remedial process would have had to be much more complicated and Zappos’ potential liability — much greater. Let me illustrate what I mean with an example.

How the RBS Worldpay Hackers Stole $9.5 Million in 2008

In November 2008 we saw how quickly a large, well organized criminal network can inflict huge damage using stolen credit card data. Back then a group of criminals hacked their way into the files of RBS Worldpay, the U.S. payment processing subsidiary of the Royal Bank of Scotland. Unlike what took place during the Zappos event, the RBS hackers managed to gain access of the credit and debit card data of 1.5 million cardholders. And they made the best use of it in the short amount of time they knew they had, before the cards were closed.

So once the hackers got their hands on the cardholder information, they immediately distributed the loot to a large network of co-conspirators who encoded the stolen data into counterfeit payment cards. But the hackers’ job was far from finished. While their pals were producing fake cards, the hackers got busy modifying RBS Worldpay’s computer systems, so that they could increase the available funds on the cards (in some cases to as much as $500,000), as well as the limits on the amount that could be withdrawn at ATMs.

Only at this point were the criminals ready to cash in. The counterfeit cards were put to use and, over the course of less than twelve hours, the criminals managed to withdraw $9.5 million from some 2,100 ATMs in 280 cities. While the heist was under way, the hackers, still “logged into” RBS Worldpay’s system, were monitoring the withdrawals in real time and, once the job was done, tried to erase their tracks. The criminals were eventually caught, but the damage they’d done was huge.

U.S. Suffers 30 Data Breaches per Month

Now, the above example is truly extraordinary in its complexity and scale and such well-planned and executed electronic heists are fortunately a rare occurrence. But smaller-scale data breaches happen all the time and at the end of Q1 2010 they were occurring at an average rate of around 30 per month in the U.S. alone. Here is how the occurrences of publicly disclosed data breaches were distributed across the last five years of the previous decade (source):

And it turns out that close to a third of all data breaches are caused by insider actions, either malicious or, much more commonly, accidental (source):

As you see, the vast majority of all data breaches are the result of low-tech actions or plain negligence. That doesn’t make them any less damaging, though, which is why the PCI DSS requirements are becoming ever stricter (much to merchants’ annoyance, unfortunately).

The Takeaway

We don’t yet know the full extent of the damage inflicted by the Zappos hackers and it will probably be quite some time before we do, if we do. Yet, what is known even now is that the criminals were unable to access the most valuable part of the retailer customers’ profiles: their payment account information. We can only hope that it wasn’t dumb luck that protected that most sensitive of customer data and I also hope that we will eventually learn if it was.

Image credit: Mbird.com.