I’m a Zappos customer, having bought quite a number of pairs of shoes for my family, and I got an email this week with very clear notification that their site had been breached, along with a lot of information regarding exactly what had been compromised. I don’t like it that there was a breach, but I do like the transparency that Zappos is exhibiting in this. I also appreciate that steps were taken prior to the breach that limited the exposure of my personal information. If you want a great summary of lessons learned from the Zappos breach, check out this story on Information Week outlining what they deem to be the top learnings from the Zappos breach, so far.
Zappos was very clear about what they believe to be the extent of the damage:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
THE BETTER NEWS:
The database that stores your critical credit card and other payment data was NOT affected or accessed.
That news doesn’t make me happy, but at least I have accurate information to help me respond appropriately. Another plus – Zappos expired all the passwords immediately, and required all customers to create a new password, using a very secure workflow to reduce the risk of bad guys resetting my password.
Not if, but when… What will you do when you are breached?
Based on experience end research data (for example, a recent study from the Ponemon Institute which discusses the number of organizations that have been breached) it is almost a statistical certainty you will be breached. The important thing is how long it takes you to notice, then what you do in response. From what I know today, Zappos is handling this in just about the best way we can expect.
In contrast, a recent breach of Symantec in which Symantec Antivirus code was stolen, wasn’t as well-handled. It seems Symantec’s source code was stolen last week but the initial reports from the company claimed that the information had been stolen from a foreign partner, but on Tuesday, January 17, the company disclosed that the source code was actually stolen from its own corporate network.
I spent a good part of the day with a few info sec professionals who happen to be Symantec customers today, and this news didn’t go over very well. While these customers understand that any organization can be breached, they felt they’d been let down by Symantec and are questioning how much they trust them in light of how this incident was communicated.
It is hard to be transparent when it makes you uncomfortable, but there is a lesson to be learned here. If you experience a breach, be forthright with your customers and take appropriate action to make things better – Zappos, while not perfect, has done this. Anything less puts your relationship with your customers at risk.