Zappos Breach's Payment Card Pledge Very Risky
When Amazon's Zappos apparel unit (and its sister site, 6pm.com) announced on Sunday (Jan. 15) that more than 24 million customers had their information potentially stolen from its site, Zappos took the radical—but wise—move of wiping out all of its passwords. That caused massive disruptions to the company, shutting down customer service phone access and access to the site from outside the U.S., in addition to inconveniencing all customers.
But it was the unequivocal declaration that payment systems had not been touched that raised eyebrows. At this early stage of a breach investigation—knowing that cyberthieves tend to be quite good at hiding their tracks and creating misleading tracks—is such a blanket promise to customers reckless?
In a publicly disclosed employee E-mail, Zappos CEO Tony Hsieh said—and the uppercase used here is what he used in the E-mail—"we can say that THE SECURE DATABASE THAT STORES OUR CUSTOMERS' CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED."
Had he said "We have no reason to believe payment card systems were affected or accessed" or "The initial investigation has discovered no evidence—nor even vague hints—that any of our payment systems have been touched," no problem. But to make a declarative statement that specific sensitive systems were, indeed, untouched seems needlessly risky.
The attack itself, according to the Zappos E-mail, was done "by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky." It's not clear if the reference to "a criminal" means that the company believes it was a single attacker. It's more likely that the E-mail may not have been phrased that precisely.
The information accessed included name, E-mail address, billing/shipping addresses, phone numbers, last four digits of payment card number and "your cryptographically scrambled password (but not your actual password)." That last reference was presumably intended to comfort consumers that their passwords aren't necessarily known, but with rainbow table lists, there should be no comfort in the phrase. Access would likely be available.
By taking the bold move to reset and expire all passwords, the CEO threw the company into planned chaos. Given that phone calls would quickly overwhelm the call center, customer service phone access was cut off while "all employees at our headquarters, regardless of department, (are being asked) to help with assisting customers."
The inconvenience to customers was hardly trivial; the Zappos site does not allow guest accounts—meaning that all purchases must be from a password-protected account. In other words, if someone didn't feel like taking the time to reset his or her password, no purchase was permitted. Site access from outside the U.S.—even to reset the password—was also denied, at least initially. It's not clear how long the non-U.S. restrictions will last, nor how widespread they were. Connections from Canada on Wednesday (Jan. 18), for example, were working fine.
The original E-mail statement said that Zappos was "recently the victim of a cyber attack," but it didn't quantify "recently." Some of the applause for Zappos for having quickly described the situation to customers may prove premature. The incident, for example, might turn out to have happened months earlier.
The dramatic nature of killing all passwords certainly suggests that management believed it was a recent incident, in the sense that it would seem unnecessary if the breach had been eight months old. Then again, whenever it was discovered, cleaning out all password files is also the best way to cut losses, so that action may not reveal that much about when the incident had been discovered.
Given that the incident wasn't announced until Sunday, this case may be eligible for an award for the fastest retail data breach class-action lawsuit ever filed. The lawsuit, on behalf of a Texas customer of Zappos "and on behalf of 24 million similarly situated persons," was filed on Monday (Jan. 16) in federal court in Kentucky.
That lawsuit filing stated facts that differed from the Zappos statement, and one of the attorneys involved in the case, Ben Barnow, wouldn't say where that information came from. For example, where the Zappos statement referred to a single "criminal," the lawsuit said the information was "stolen by hackers." Beyond the plural versus singular issue, a hacker is simply a resourceful programmer. (We hate the maligning of the honorable hacker title.) Then again, the reference to "stolen" probably gets us to the same place. (But the attacker might not have been a hacker. The attacker might have been lazy and uncreative.)
More seriously, though, the lawsuit said the attack hit "the company's unprotected servers located in western Kentucky." Unprotected? Had it claimed "insufficiently protected" or "inadequately protected," that would have made more sense. Are the attorneys actually saying that the attacked server was completely unprotected? If true, that would be E-Commerce heresy. Barnow declined to clarify.
My favorite part of the statement was a wonderful line, where Zappos' Hsieh showed the math to support the decision to temporarily shutdown the call center. The move was absolutely correct. But seeing the numbers spelled out for employees—and for customers—is wonderfully powerful.
"We have made the hard decision to temporarily turn off our phones and direct customers to contact us by E-mail, because our phone systems simply aren't capable of handling so much volume," the CEO penned. "If 5 percent of our customers call, that would be more than 1 million phone calls, most of which would not even make it into our phone system in the first place."
Word choices—and informational holes—aside, Zappos' move looks to be a picture-perfect example of how such a data breach response should be done.
- Halt the damage immediately (clear out all passwords).
- Assign everyone to get involved to make the pain as short-lived as possible.
- Take a painful hit for a few days on revenue and operations and get—in theory—done with the bloody thing relatively quickly.