What Companies can Learn from the Zappos Breach


Companies are under siege from cyberattacks more than ever, with news of data breaches, phishing attacks, and other digital security exploits nearly a daily occurrence. So when news broke that online retailer Zappos (now owned by Amazon) had been the victim of a new cyberattack, I'm sure we shrugged our shoulders and collectively said "Here we go again."

While the full details of the how and why of the Zappos attack are still to emerge, an email from Zappos CEO Tony Hsieh to employees earlier this week stated that "We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky." Zappos immediately issued a forced password reset of all 24+ million customer accounts, and also sent an email to consumers telling them about the breach, advising them to reset their passwords, and pointing them to additional resources for information. I think Zappos handled the breach better than most, and could serve as a good example for other companies to follow. Companies that are slow to reveal an attack to their customers, or hide their heads in the sand, or immediately set out with a blame-shifting strategy deserve to be criticized.

ESET Security Researcher Cameron Camp goes into more detail about what Zappos did right in a blog post over at the ESET Threat Blog, and I'd suggest that Camp's post should be required reading for the CEO, CISO, and IT/PR departments of every company that maintains a database of customer information. Here's one especially good bit of advice that Camp offers to any company who wants to maintain good relationships with their customers after a breach:

Tell users where to find more information: [Zappos] put up a special website to disseminate information as it becomes available. This does two things: 1) established a central clearinghouse for relevant information, and 2) reduced the repetitiveness of the requests their support staff may receive.

Camp stresses that companies should release information quickly about cyberattacks to their customers, a move that can have positive benefits down the road. "Acting quickly and decisively can work wonders toward restoring that confidence, as customers sense they are receiving current, relevant, and honest communication about the incident," Camp writes. "Still, restoring confidence can take years, but this style of communication can make things much better."

So what do you think about the aftermath of the Zappos attack? Feel free to add a comment to this blog post or contribute to the discussion on Twitter.

Discuss this Blog Entry 3

on Jan 19, 2012
@Sean Deuby: Zappos announced the news on the 15th. How many days after that notification did you get the emails?
on Jan 19, 2012
it takes a long time to send 24 million emails. properly managed mailing lists in the hundreds of thousands can take hours, usually broken down into controlled batches, ensuring proper mail flow. you don't just click a button and expect 24 million emails to go out successfully without any issues... not unless you own your own mail server farm and run your own mailing list software on dedicating mailing list servers - which most companies don't have (I can't speak for zappos). as for what the company did, i agree that this is the best response. you can barely ever hide incidents like this any more, so better to face the facts and act properly - take the immediate hit at your reputation and mitigate effects by actively improving your existing security policies in all aspects of your business. sitting on it will be the worst of the overall outcome as the news will eventually come out, and your business will show its true colours, unable to properly handle modern security pressures. if i were a client, and the business took the latter approach, i would no longer be a client. not the other way around.
on Jan 18, 2012
How long does it take to send 24 million emails? My wife got the breach notification TWO DAYS before I got mine.

Please or Register to post comments.

What's Security Blog?

Security news, views, product reviews, and solutions for Microsoft Windows IT professionals.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×