Burlington Coat Factory's Site Shut Down By DDOS Attack, 45-Hour Incident Complicated By Comments

Attackers shut down the Burlington Coat Factory chain's site late Sunday (May 8) with a distributed denial of service attack, one that kept the site and its mobile counterpart shuttered until mid-afternoon Tuesday (May 10). The 45-hour incident was complicated by a CIO statement that "there was no breach of security systems"—proving a negative is never easy—and by some customer service representatives who told customers a very different story.

Problems were first detected with Burlington's main site—called Coat.com—about 4 PM (New York time) on Sunday (May 8), when Web uptime tracking site AlertBot noticed "intermittent outages." The site then went completely dark at about 5:20 AM Monday (May 9), said AlertBot's Justin Noll.

Burlington's official version is slightly different, with a statement issued by CIO Dennis Hodgson saying that the chain "was subjected to a denial of service attack early" Monday.

In a clarification E-mail exchange, Hodgson corrected his reference to a DOS attack to the more extensive DDOS. "It was in fact a DDOS attack that flooded our servers with traffic," Hodgson wrote. No clarification was offered on the timing.

The CIO statement—without mentioning times—said that the chain "decided to shut down its site while we worked on a solution." It's unclear if it was Burlington that caused the full shutdown at 5:20 AM Monday or if was the attackers, with Burlington opting to not try to bring the site up while a defense was mounted.

From a retail strategy position, though, the more interesting comment was the next line: "We have determined that there was no breach of its security systems." This raises a few issues. The typical post-breach comment—to comfort customers who are worried about stolen payment-card data or personal information sought by identity thieves—is more reserved, such as "at this stage of our investigation, we have found no evidence of any data breach."

To outright pledge that there was no breach seems ill-advised. The best cyberthief attacks carefully hide their tracks, leaving little to no evidence of their data-copying efforts. Indeed, in the details that came out this month from the massive Sony data breach, the attackers literally used a DOS attack as a diversion while they engaged in a data breach impacting more than 100 million accounts.

The other issue with the security statement is the phrase "no breach of its security systems." It seems as though the CIO's intent was to make clear that neither payment-card nor PII data seemed to have impacted. But isn't the mere act of a successful DDOS attack clearly a breach of a chain's security systems?

To say that cyberhoodlums deprived your customers of your site—and deprived your chain of its ability to make cyber sales and to direct customers to its stores and its mobile site—and did so against the law and to then say that "there was no breach of security systems" is truly baffling.

Further complicating the situation were some customer service people—specifically handling the Web site—who told callers that the site was down because an update at one of Burlington's site—Baby Depot—inserted a duplicate product code, which cascaded into a problem with a large number of product codes. Hodgson quickly said that Baby Depot had nothing to do with the incident and that the chain had not been discussing the particulars of the attack with customer service call center people at that point.

That is absolutely the proper way to handle such a matter. But it does bring up a cyber-attack-related training and policy issue. Although nature may indeed love a vacuum, customer service reps—the ones who will be dealing with your customers during an incident like this—decidedly do not, especially an information vacuum.

Faced with questions, they will tend to repeat rumors, make guesses and do anything else they can think of to avoid sounding out-of-the-loop. If answers will make customers happier, they'll offer some. This is true unless the company has specific answers that it gives reps the instant a problem kicks in. Focusing elsewhere and letting the call center people fend for themselves for hours may have them giving answers you won't be happy with.