Zappos Is Giving Us a Lesson on Managing a Data Breach

Zappos Is Giving Us a Lesson on Managing a Data Breach

We’ve written about the mechanics of dealing with data breaches on this blog several times before, but Zappos, the Amazon-owned online shoe and apparel retailer, is giving us a great real-time lesson on the subject that everyone who may ever have to deal with the issue should look to for guidance. There is a lot to be learned.

Zappos has built its reputation around, and owes its huge success to, providing an exceptionally high level of customer service, including a 365-day no-questions-asked return policy. Zappos customers, this blogger very much included, really feel that their satisfaction is the retailer’s top priority and there is nothing to test the validity of this belief as a confirmed breach of sensitive customer account data. But as I said, Zappos is meeting the challenge with flying colors.

Crisis Management Lessons from the Zappos Data Breach

Zappos announced the data breach in an email from founder and CEO Tony Hsieh to all of the company’s employees that was also published on the retailer’s blog for the whole world to see. This email deserves close examination, as it should be used as a crisis management template by everyone who finds his company in a similar predicament. Let’s do it.

Lesson 1: get everyone involved. By addressing all of his employees, Hsieh makes it clear to both his own organization’s staff, as well as to the outside world, that this is an issue that is the responsibility of everyone within his company to help dealing with.

Hsieh begins his email thus:

Please set aside 20 minutes to carefully read this entire email.

Lesson 2: make the gravity of the situation immediately clear. It is a short email that takes a few minutes of careful reading to get through, but Hsieh is asking that employees spend much more time on it. Why? Because the issue is critical and he wants everyone to understand that and give it some thought.

Then the CEO tells us what took place:

We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation.

Lesson 3: get straight to the point and tell it like it is. Once you’ve got everyone’s attention and made it clear how important the issue at hand is, the only sensible way to proceed is to describe the matter clearly and concisely. Hsieh does just that.

Now Hsieh tells us that he is not allowed to provide specific details, but adds this:


Lesson 4: don’t overblow the positive aspects (if any). The problem is huge and you’ve already made that point clear. Now, if there is anything that is positive about the story, tell the facts, but don’t make it sound as if it is equally, never mind more, important than the bad news. Doing so would weaken the message of urgency you are sending. That’s also why in his letter to Zappos’ customers that follows the one to his employees, Hsieh refers to this aspect of the story as “the better news,” not a good or positive one.

Hsieh finishes his email in this way:

The most important focus for us right now is the safety and security of our customers’ information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We’ve already reset and expired their existing passwords.)

Lesson 5: reiterate your commitment to solving your customers’ problem and say what you are doing about it. You need to look at the issue through the eyes of your customers. They don’t care what your company is going through or how much the cleaning up process will cost you. The only things your customers care about is how big the damage is and what you are doing to protect their interests. That’s what you should be telling them and that is precisely what Hsieh has done.

Then Hsieh attaches the email that his company will be sending to its customers, which informs them of the data breach and tells them what the company has already done to remedy the issue. The letter also asks that customers do the following:


We have expired and reset your password so you can create a new password.

Lesson 6: tell your customers what they need to do. As your customers’ accounts are now compromised, new log-in credentials need to be created. Make this process as simple and straightforward as you can and clearly tell your customers what they need to do. Again, Zappos has done just that.

The letter provides a link to a page where Zappos customers can go to for updates and also informs them that:

We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)

Lesson 7: if your customers will be inconvenienced in some way, inform them beforehand and explain why. The worst thing you could do, if things started working differently from the way they used to, would be to keep customers in the dark as to the reason. That would be a sure way to provoke a torrent of negative publicity in the form of angry tweets and comments on the news stories covering the event. So if your customers will be seeing changes in the way you communicate with them, tell them what they should be expecting and why (and make sure there is a good reason for it!).

The Takeaway

Bad things do happen and data breaches are certainly no exception. Your customers understand that and will give you the benefit of the doubt, if you do suffer a breach, unless you’ve been egregiously negligent in protecting their information. Your response to the crisis will be the only thing that determines whether the issue is resolved with minimal damage and inconvenience to your customers or it deteriorates into a PR disaster.

Zappos is giving us a lesson on how to do this properly and we should all be taking notes.

Image credit: Zappos.

4 Responses

  1. Dennis Adsit, Ph.D.
  2. Penny
  3. Lauren

Add Comment

Read more:
E-Commerce Shipping Policy Guidelines
E-Commerce Shipping Policy Guidelines