On Sunday, January 15 2012, Zappos notified its employees that there was a data breach in their internal network. The breach made headlines and news around the world, which makes sense considering the popularity of the eCommerce company. I believe that CEO, Tony Hsieg, handled the situation beautifully and I look forward to seeing the outcome of the breach.
Zappos has been known in the eCommerce world for their transparency with both employees and customers. They have one of the best customer service reputations of all businesses. However, even the highest man on the totem pole can succumb to an attack from a driven malicious hacker.
Over 24 million customers potentially had information stolen from the databases. In the email to employees, Hsieg clearly states that the database storing customers’ critical credit card and other payment data were not affected or accessed. Even so, the following were possibly compromised:
- Name
- E-mail address
- Billing and shipping addresses
- Phone number
- Last four digits of credit card number (standard information on receipts)
- Cryptographically scrambled password (no clear text passwords)
Why do I think Zappos handled the data breach well?
Hsieg is direct with his email to employees and shares the additional customer notification email.
“To: Zappos Employees
Subject: Important – SecurityDear Zappos Employees -
Please set aside 20 minutes to carefully read this entire email.
We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky…”
The email goes on with the full explanation. If you are interested in reading the email in its entirety, please visit the Zappos blog. This brings me to my second point. The email was also posted on their website, making important company news transparent to customers and possible future customers.
In the email to its customers, they separated the news into segments:
- The bad news – explains to the customer what had happened
- The better news – explains to the customer that critical credit card information was not stolen
- Security precautions – explains that they are recommending that the customer should change their password and that they will never ask for personal information via email or phone. If you are suspicious of an email, log in to the website directly to see if there is an alert or message on your account.
- Please create a new password – shared simple instructions on how to change your password and an additional email address specifically for questions related to the process.
Hsieg goes on to say how one single data breach can damage the reputation of a very popular company, and how the security of critical credit card information is extremely important in the situation.
“We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed.”
In conclusion, I believe Zappos did a fantastic job responding to the incident. They notified employees and customers, and are working with law enforcement to investigate the data breach. As a business should be, they are concerned about their reputation but more importantly, about the security of their customers’ information.
Zappos is providing further training to its employees to assist any customer who has a problem changing passwords. I look forward to seeing how they continue to handle the incident.
Scott
A Best-Practices Guide to Information Security Attestation
Risky Business Blog
Simplified Blog
Techno Blog
In The News
RSS Feed
About the Author:
Marketing at Pivot Point Security