According to news reports like this one at PC World and a letter to its customers, Zappos.com, the online shoe and apparel company was the victim of a cyberattack. A customer database containing information on more than 24 million Zappos customers was hacked. The shoe company, which was founded in 1999, was bought in 2009 by Amazon.com for over US $900 million.
Zappos informed its customers in the letter that the good news was:
"The database that stores your critical credit card and other payment data was NOT affected or accessed."
However, the bad news, Zappos said, was that:
"... there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password)."
As a result, the Zappos decided to reset customer passwords, and it recommended that, "... you change your password on any other web site where you use the same or a similar password."
A ZDNET blog post on the incident reinforces the importance of that advice. It points to a recent academic study reporting that "... among [common] customers of the Gawker and rootkit.com sites whose passwords were stolen and exposed, 76 percent used the same password at both sites." The post also talks about how the information gleaned from Zappos.com could be used for targeted attacks or even impersonations at other websites.
Zappos also warned customers about the possibility of phishing emails, supposedly originating from Zappos.com, asking for personal information .
"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation."
The letter also informed all of its employees at its headquarters, "regardless of department," that they would be helping assist customers with their password change process. Hsieh also said that the company was going to be temporarily turning off the company's phones and asking customers to contact it by email if they had questions or problems. The fear is that if customers tried to call, the company's phone system would be overwhelmed.
The PC World story says that non-US customers have not been able to access the Zappos.com website. Those who tried were met with a message telling them that, "We are currently undergoing some system maintenance that has limited our international customers in accessing our web site."
So far, how the Zappos.com database was breached or for how long has not been disclosed.
Zappos apologized to its customers for the inconvenience, stating on its web site that: "We understand that the safety of your personal information is extremely important to you," and that, "We use a wide array of electronic and physical security measures and devices to protect your personal data and credit card information from unauthorized access."
This incident , like the many others before it, should encourage Zappos and most online retailers, to do more than meet just the PCI standards for credit card encryption and start encrypting other customer data such as email and physical addresses as well.
Contributing Editor Robert N. Charette is an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Along with being editor for IEEE Spectrum’s Risk Factor blog, Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.