Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Zappos data breach response a good idea or just panic mode?

In acknowledging a data breach in which information related to as many as 24 million customers was stolen, online shoe and clothing retailer Zappos has taken assertive steps, including compelling customers to change passwords, plus temporarily foregoing 800-number phone service in an effort to redeploy customer-service representatives to respond to customer email.

These steps are all part of the breach response strategy undertaken last Sunday as Zappos CEO Tony Hsieh posted an open letter online to Zappos employees about a "cyberattack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky." In this open letter, Hsieh wrote, "The most important focus for us now right now is the safety and security of our customers' information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help them through the process of choosing a new password for their accounts," adding that the existing customer passwords had been terminated.

MORE ON DATA BREACHES: RSA chief: Last year's breach has silver lining

So far, analysts and customers have a mixed reaction to the approach Zappos -- now part of Amazon -- has taken, which also included sending out an email notification on Sunday night to customers informing them of the breach.

Zappos says the attacker likely gained access to customer name, email address, billing and shipping addresses, phone numbers, the last four digits of the customer card numbers and the customer's "cryptographically scrambled password." But other payment data, such as full credit-card and payment information, is not believed to have been accessed by the attacker.

Overall, the Zappos response strategy is "not a good idea," contends John D'Arcy, assistant professor of information technology at the University of Notre Dame. The Zappos decision to terminate customer password access creates a situation that makes it appear "it's a panic mode" and would likely create a sense of panic. "Maybe they went overboard," he says. He says the motivation for the attack is probably to gain information to sell to competitors on the black market. However, phishing attacks to try and steal more customer information are also a possibility.

Other analysts generally praised the Zappos response. Gartner analyst John Pescatore, while noting he doesn't know if Zappos sufficiently protected its systems or not, said he finds the Zappo public response to be a good one so far, especially in terms of communicating publicly, adding "avoiding exposures of course is much better."

Others question the Zappos security approach. Mark Bower, data protection expert and vice president at Voltage Security, said he had to wonder why data security wasn't applied at Zappos to more thoroughly protect other regulated and sensitive personal data which is also useful to attackers. Todd Thiemann, senior director of marketing at Vormetric -- who also counts himself as a customer of Zappos and its other online store 6PM.com which also had data stolen -- thinks encryption should have been applied more broadly. "The definition of what is sensitive is changing," Thiemann said. "It's not just card numbers anymore, it could be the shipping address, too."

Thiemann said he got very similar email data-breach notifications last Sunday from both Zappos and 6PM, but he hasn't yet changed passwords. The benefit of a password, he says, is that you don't have to re-enter customer information if the password is used. He says he doesn't want credit-card information stored by online stores for reuse and he's uncertain what Zappos and 6PM do in that regard. However overall, he says Zappos and 6PM are doing a good job getting information out about the data breach.

The Zappos 800-number service has a recording on it today saying service representatives aren't available to speak on the phone and encourages anyone phoning to send an inquiry to an email address. Redeploying the Zappos employees this way "doesn't make sense," Notre Dame assistant professor D'Arcy says. "It leads me to believe they weren't prepared for an event like this." However, he adds that Zappos is doing a good job of getting information out to the public, which benefits customers and usually brings favorable reactions.

The cost of handling the data breach will probably be expensive for Zappos. One estimate of data breach costs come from Ponemon Institute, whose most recent annual survey and analysis of data breach incidents put the cost of a data breach at an average $214 per compromised record. If 24 million customer records are really at stake, that in theory would put Zappos in the $5 billion range, which sounds like an impossible number. D'Arcy says he finds the Ponemon per-record cost estimate way too high, and stock investors have tended to accept data-breach costs as part of doing business.

Some online comments at the Zappos site suggest a mixed reaction from customers on how Zappos in handling the data-breach incident so far.

"Zappos site was hacked, why not tell everyone that instead of trying to hide it under 'security updates,' I would like my accounts to be removed," wrote one individual. "Lawyers get ready." However, other individuals online expressed confidence in the remediation approach Zappos is taking, saying, "... good job. Now I'm ready to shop again."

Zappos has indicated it may make additional information available about the cyberattack on its website.

Read more about wide area network in Network World's Wide Area Network section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Amazon, Gartner, HES, LAN, RSA
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: cybercrime, cybersecurity, data breach, legal, passwords, security, Zappos
Latest Blog Posts
Whitepapers
  • SOA and Business Processes: Making the Connection
    Service-Oriented Architecture (SOA) is also complex, and one of its main characteristics is that an SOA system is comprised of multiple applications that are combined to accomplish critical business processes. Discussions of SOA can quickly grow so complex that the system’s main benefits to an organization are difficult to fully understand. This article discusses SOA Suite 11g, a family of products that take SOA to a new level and correct some of the problems caused by the very combination of components and multiplication of languages that make SOA a flexible, agile system.
    Learn more »
  • TestPro achieves visibility over software defect management - Reducing project risk and improving quality
    In delivering specialised software testing products and services, TestPro aims to add value to its clients by assisting them to deliver software projects at a higher quality with less risk. It saw significant opportunity to reduce effort and resources during the product development life cycle.TestPro uses IBM Rational Team Concert software to help achieve greater visibility and reduce effort involved in managing product builds and defects during application development, maintenance and enhancement projects. Read more.
    Learn more »
  • Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives
    Service-oriented architecture (SOA) has moved beyond hype to widespread acceptance as an IT strategy for delivering business value. SOA promotes the notion of modularity, providing overwhelming flexibility and superior economics for addressing business demands. However, undertaking the transformation to SOA is not without its challenges. If left unchecked, your inventory of SOA assets will become unmanageable; the reuse of services will diminish in favor of custom development; or even worse, modifications will be made to your existing services that break other business processes. The purpose of SOA governance is to help you ensure that this does not happen. This paper outlines the most compelling reasons for you to establish SOA governance within your organization.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.