The Zappos Data Breach 10 Days On: The Lessons Continue

By January 25, 2012 Credit Card Processing Blog 0 Comments

The Zappos Data Breach 10 Days On: The Lessons Continue


We received an incredible amount of feedback to our post last week on the Zappos data breach. The interesting thing about it was that while most of the readers came from our Facebook page, where all of our new articles are immediately posted, and a decent number of them hit the “Like” button, the vast majority of the responses came from Twitter. As a side note, that is beginning to become a trend now and we’d be interested in hearing what experience you’ve had with reader engagement to blog posts published on your business’ Facebook page and a Twitter account.


But let’s move on to the issue at hand. It’s been ten days now since Tony Hsieh, CEO of Zappos.com, the Amazon-owned online shoe and apparel retailer, announced in an email that his company had suffered a data breach. We were so impressed by Zappos’ response that we analyzed in detail Hsieh’s email in our initial post and suggested that everyone who may ever have to deal with a similar crisis should use it as a template. But how has the company done since then and more importantly, how have Zappos’ customers been affected in the event’s aftermath?


Well, the retailer has again done an outstanding job and deserves the highest marks for its efforts and, as best we can tell, its customers have suffered no lasting damage at all.

What Has Zappos Done since It Announced the Data Breach?


Following the initial email announcing the breach, Zappos has published two updates on the web page that was specially created for the purpose of keeping customers, and the outside world at large, informed on the progress the retailer was making in getting things back to normal. These updates were terse and to the point.


The first one explained the meaning of a technical term — “cryptographically scrambled” — and informed readers that the company was cooperating with the FBI in its investigation, which is following the standard procedure for dealing with the aftermath of a data breach.


The second update announced that Zappos’ phone system was again functioning as normal, after being intentionally turned off following the event, because it would not have been able to handle the expected volume of incoming calls (which was explained in Hsieh’s email).


So, while the investigation is still ongoing, things are now back to normal at Zappos. But what were the consequences for its customers?

What Is the Damage to Zappos’ Customers?


I read somewhere that the attorneys for a Zappos customer are seeking a class-action suit against the retailer, which was more or less to be expected. But how justified are consumers’ worries in this case? Well, to answer that question we’ll need to understand exactly what information has been compromised.


Zappos told its customers that:

[T]here may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).


We were also told that:

THE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.


So the hackers seem to have gained access to some of the information stored in Zappos’ customer profiles. It is unclear whether or not the criminals may have been able to actually access the customers’ accounts, because we don’t know if they could have retrieved the associated passwords. But even if they could have done that, that wouldn’t have been all that big of a gain. They could have attempted to place an order, which, even in the unlikely event that it went through, would’ve been immediately disputed and the cardholder would have been reimbursed for any financial losses. Moreover, any bank card information that may have been stored in a compromised profile would have been unusable, because it only displays the last four digits of the account number.


At the end, given that the data breach was immediately discovered and the passwords reset, the criminals would have been left with information that for the most part is usually freely available on Yellow Pages.

The Takeaway


The significance of the Zappos data breach should not be minimized and I’m not attempting to do so. Such events are potentially hugely damaging both for the affected business and its customers, so every effort should be made to prevent them from occurring. If a business is found to have not complied with existing data security standards or to have otherwise been lax in safeguarding sensitive customer information, it should be held accountable for its carelessness. We don’t yet know whether Zappos is guilty on any of these counts, so, though I reserve the right to comment on that issue when information becomes available, I can’t do so at present.


However, the fact remains that Zappos’ response to the crisis has been exceptional and the company deserves to be commended for it. But the real good news is that Zappos’ customers have suffered no lasting damage.


Image credit: Wikimedia Commons.

Related Posts

Add a Comment

Your email address will not be published. Required fields are marked *