Zappos.com breach – lessons learned

We read that Zappos.com was breached on Sunday, to the tune of 24+ million users’ worth of information. But it seems at first blush they responded well. Of course, a company would hope to never have a breach at all, but when it happened at Zappos.com, here are some of the things they appear to have done right.

#1 Notify your customers quickly: It may seem obvious, but more than a few companies that have breaches are slow to admit it. In this case, the Zappos CEO sent out an internal email describing the breach details that were relevant, along with outlining steps they planned on taking to remedy the breach. This was followed by a notification email sent to the users affected.

#2 Reveal the extent of the breach: Zappos.com outlined in the customer notification email the extent of information that may have been compromised, and what appeared to have been safe. They said in their communication The database that stores your critical credit card and other payment data was NOT affected or accessed.

#3 What they’re doing to protect you: Zappos.com outlined specific details about how customers could protect themselves, in this case by changing a password. Even though the passwords that may have been accessed were scrambled , if users changed them quickly, the black market value of the passwords would be significantly reduced. Also, it would hinder further attempts access personal data using the existing passwords.

#4 Tell users where to find more information: They put up a special website to disseminate information as it becomes available. This does two things: 1) established a central clearinghouse for relevant information, and 2) reduced the repetitiveness of the requests their support staff may receive.

#5 Beef up incident response staff: Speaking of support personnel to handle incident management, Zappos asked employees, regardless of department, to assist with offloading the burden of the sheer number of breach-related communication they anticipated receiving in response to the situation.

In short, they handled this better than many. Although the goal would be to never have a breach in the first place, if it happens, there is a crisis of confidence among the customers. Acting quickly and decisively can work wonders toward restoring that confidence, as customers sense they are receiving current, relevant, and honest communication about the incident. Still, restoring confidence can take years, but this style of communication can make things much better. In 2012 we hope to see fewer breaches, but it also may be wise to determine internally how your company would respond to a breach, what you would tell your customers, and what extra staff might you need to handle the extra support involved.

Author Cameron Camp, ESET

  • Vicki T

    Whew!  Thank you so much for this article.  I am a Zappos customer and, thankfully, the credit card I had on file was no longer valid, but what you have made me realize is that I need to get busy and start spiffing up my passwords on many sites.  I have known all along that this needs to be done, but I'm sure I am not alone when I say that I loathe changing passwords because I fear I will not remember them when I need them.  Great article, Cameron!

  • data breach

    Is it just me or are they making conflicting statements? I mean searioulsy, 

    “…names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and cryptographically scrambled passwords had been hacked.”

    and then they just throw this garbage

    "…THE DATABASE THAT STORES OUR CUSTOMERS' CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED."

    Even if we assume that cyber criminals don't have credit card numbers, the said information is a candy for carders anyway.

  • Cameron Camp

    @data_breach: It's difficult to determine their internal storage mechanisms for their full card data. They say they are stored separately from the customer records which are in question, hard to say exactly without knowing how their data is set up. I have seen networks where a dedicated database server is used for payment card storage, due to PCI compliance issues, and more generic customer contact info stored elsewhere. One way or another it's not very good news for customers, but let's hope the full cc data isn't part of the bounty for the scammers. 

  • Jim Coker

    While you raise a couple of good points, I would like to disagree that Zappos did a good job in responding. As a recipient of their communication, I found no explanation that Zappos knew how the breach occurred nor assurances that they had sufficiently eliminated the possibility of it happening again. I see a reference in your article about a special web site being set up yet there was no mention made in the Zappos email I received.  And when I tried to contact their 24/7 customer support line, I learned they had shut it off, making it impossible to even leave a message requesting a call back. I emailed my questions to Zappos and received no response, even an auto-response that it was received and would be handled later. So, no, I think Zappos has turned its back on the affected customers and should NOT be looked upon as a high-quality response to this unfortunate incident.

  • Cameron Camp

    @Jim: Thanks for the feedback. It's good to hear how their plans played out. Sorry to hear about your experiences. It's interesting to watch how companies respond during and after the initial flood of customer communication. It's encouraging to hear they had solid plans, it might also be good to hear from them about the rest of their experience and what they feel they could improve upon. Following their internal investigations it would seem they might send more follow-up information along, we'll wait and see.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

2 articles related to:
Hot Topic
17 Jan 2012
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.