Zappos takes steps to reassure customers in latest hackWe are not three weeks into January of 2012 and we already have a big hack. On Sunday, Zappos.com – the online source for shoes for millions of customers was hacked, and according to Zappos that could mean 24 million customer accounts have been breached.
In the cyber attack, names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and encrypted passwords may have been grabbed and walked right out the front door, or back door, in
Zappos, based in Henderson, Nevada was bought by Amazon.com in 2009 and quickly became known for its wild and weird advertising events, and out of the ordinary work culture. The company also had a very lenient return and refund policy, which attracted many customers, but this time the company needs to get serious and tow the line.
The company has been swift to respond.
Tony Hsieh explained to its customers, via website (http://www.zappos.com/passwordchange) that the site was hacked by unauthorized and illegal sources. Hsieh has some good news; the database storing the credit card and payment history was unaffected because it was stored on another server.
I think it is important to point out an interview with Hsieh in the Christian Science Monitor (http://www.csmonitor.com/Business/Latest-News-Wires/2012/0117/Zappos-hacked-24-million-accounts-at-risk),
where he said, “We’ve spent over 12 years building our reputation, brand, and trust with our customers,” and Hsieh also said this in an email to customers. “It’s painful to see us take so many steps back due to a single incident.”
It may be painful for its customers. Because no full credit card numbers were stolen does not mean 24 million Zappo customers can breathe a sigh of relief. We’ve said it before, on air and online, a hacker snooping around with
your name, address, phone and even the last four digits of your credit card could spell disaster. This could be
enough for the basis of identity theft and perhaps penetrating other companies that a Zappos customer may be storing their credit card.
Hsieh also told his employees the company will be training everyone on the specifics of how to best help our customers through their password change process now that their passwords have been reset and expired.
Still, customers’ passwords were also exposed in the hack, but because they were encrypted, It’ll take much longer to decode them.
Everyone should be changing their passwords on a regular basis, so we cannot fault Zappos on this point. What we can talk about is how Zappos monitors their systems.
I would venture to say, Zappos and other companies may be using software that monitors suspicious activity on their
networks, perhaps in real time. The sooner an organization detects a breach, the more quickly it can contain it. On the surface this is a good idea, yet these systems sometimes report activity that is normal as being suspicious.
This may eat up a security investigator’s time while a real threat emerges. It is too early to know if Zappos did anything wrong, or if they slipped up, what is positive is how fast they reacted. I wouldn’t cast blame just yet, and I will follow this story.
This could be bigger than Sony’s PlayStation hack last year? (http://www.cnn.com/2011/TECH/gaming.gadgets/04/26/playstation.network.hack/index.html).
Hackers crippled Sony’s PlayStation
Network in April of 2012, which has some 70 million subscribers.
I’m a government cleared cybersecurity expert (a Certified Ethical Hacker), and the Vice-President of Cyber at SIRCO, an investigations and protections firm in Montréal, Canada.
I’m also a frequent contributor to National & Global media reportage about cyber-crime, spying, security failures, internet scams, and the real social network dangers that families and individuals face every day.