11:34 AM

Zappos Breach: 8 Lessons Learned

Security experts rate the shoe retailer's response to hack that exposed data on up to 24 million customers.

How is Zappos handling the network breach that exposed information relating to as many as 24 million of its customers?

Based on what's publicly known about the Zappos breach, here are eight immediate lessons to learn for any business that wants to prevent data breaches and manage the notification process when a data breach does occur.

1. Advance planning mitigates breach fallout. In its favor, Zappos seemed to have already taken concrete information security steps--prior to the breach--to mitigate the potential fallout of any breach it might suffer. Such steps included hashing all user passwords and storing credit card data in a separate database.

[ Expect even more attacks in 2012. See 10 Security Trends To Watch In 2012. ]

2. Create a response plan in advance. Likewise, Zappos appeared to have a data breach notification response plan already in place. As part of that plan, the company emailed all employees with details about the breach, and included a copy of the breach-notification email it then sent to customers.

3. Issue a clear, timely warning. After Zappos suffered a breach, the company issued a clear, timely notification to its customers, warning them that they should change their passwords on, as well as any other site on which they reused the same passwords. On this front, "Zappos should be commended for alerting their customers in a timely fashion," said Tomer Teller, a security researcher at Check Point Software Technologies, via email.

4. Secure stored credit card data. Cryptographically storing credit card numbers is a Payment Card Industry Data Security Standard (PCI DSS) requirement. Of course, that doesn't mean every company follows the PCI regulations. Thankfully, however, Zappos apparently did. "The good news is that it looks like Zappos credit card information was encrypted or not stored in a way that hackers could use," said Mark Bower of Voltage Security, via email. "So this is proof that protection can help with safeguarding customer data in the event hackers get their hands on it. More merchants should be taking these kinds of measures."

5. Notify customers in multiple ways. When it comes to room for improvement, Zappos could have done more than just email a warning to its customers. "Disappointingly, there is no mention of the security breach on the front page of the Zappos website--one platform you would imagine they would use to inform their customers that there was a security problem of which they should be made aware," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

6. Think of non-U.S. customers. For anyone located outside of the United States, as of Tuesday, the Zappos website--including the page for changing passwords--remained inaccessible. Instead, website visitors saw this message: "We are so sorry--we are working on a few technical issues before opening up our site to traffic from locations outside the continental United States. We hope to open back up very soon." Zappos spokeswoman Diane Coffey of PR agency Kel & Partners said via email that "as a result of preparing their systems for the volume of emails and customers changing their passwords, they are undergoing some system updates and they hope to open up to non U.S. users soon."

7. Tap external sites if necessary. In its response, Zappos confirmed the site remained offline for non-U.S. users to help cut down on website traffic. "But, seriously, how hard is it to host an important message like this on another trusted site?" said Cluley. Indeed, Zappos' parent arguably has hosting bandwidth to spare via Amazon Web Services. Why not tap it?

8. Pick the right breach support channels. In the breach-notification message sent to employees, Zappos CEO Tony Hsieh said the company was immediately suspending telephone support, would only field customers' breach-related queries via email, and would begin related training for all employees imminently. That was likely a smart business move. By asking all employees to pitch in, Zappos' customers know that the company is responding to queries as quickly as possible, and aren't left stewing in call center queues, if they would even able to get through.

Today, companies get judged on the steps they took to prevent a breach, as well as how they respond in the wake of a breach. Zappos' preparation is notable, especially when compared with other major data breaches from the past year, including Sony and Nasdaq.

Of course, this isn't the end of the Zappos data breach story. The company has yet to answer many related questions--and may not yet know all of the answers--such as when the breach occurred and how long attackers had access to its systems before the breach was discovered. Furthermore, companies sometimes find after conducting a digital forensic investigation that the breach was worse than it first appeared. Then again, with proper preparation, sometimes businesses find during their investigation that the breach isn't as bad as it first appeared.

Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our Compliance From The Inside Out report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/20/2012 | 6:23:51 PM
re: Zappos Breach: 8 Lessons Learned
I also did not get any information as a VIP customer - and I was hacked - I noticed a fraudulent Zappos charge on my credit card statement in December and called Zappos. I thought my credit card number was stolen. Nothing is quite what it seems.
User Rank: Apprentice
1/17/2012 | 9:43:05 PM
re: Zappos Breach: 8 Lessons Learned
I'm so frustrated that all of these articles say that Zappos contacted their customers. I am a VIP customer and did not receive any information from Zappos regarding this hacking event. Only after trying to do a return, and not being able to get through to the company, did I think something was up and found these articles.
User Rank: Apprentice
1/17/2012 | 6:50:43 PM
re: Zappos Breach: 8 Lessons Learned
Zappos has yet to navigate a safe recovery for their customers. In the report Zappos said the hackers got the email addresses of its 24 million customers. The hackers know Zappos will be emailing all those customers to try to get them to reset their passwords. All the hackers have to do now is masquerade as Zappos and send those same customers an email asking them to recreate their account and provide a link to a fake look-alike site the hackers operate. Now the hackers will get the customer's usernames, passwords and possibly credit card numbers.

The point is that no customer whose data is compromised should trust an email they receive from someone claiming to be Zappos.

13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
From DevOps to DevSecOps: Structuring Communication for Better Security
Robert Hawk, Privacy & Security Lead at xMatters,  2/15/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.