Zappos Breach: 8 Lessons Learned

  /     /     /  
Publicated : 22/11/2024   Category : security


Zappos Breach: 8 Lessons Learned


Security experts rate the shoe retailers response to hack that exposed data on up to 24 million customers.



How is Zappos handling the network breach that exposed information relating to as many as 24 million of its customers?
Based on whats publicly known about the
Zappos breach
, here are eight immediate lessons to learn for any business that wants to prevent data breaches and manage the notification process when a data breach does occur.
1. Advance planning mitigates breach fallout.
In its favor,
Amazon.com-owned Zappos
seemed to have already taken concrete information security steps--prior to the breach--to
mitigate the potential fallout
of any breach it might suffer. Such steps included
hashing all user passwords
and storing credit card data in a separate database.
[ Expect even more attacks in 2012. See
10 Security Trends To Watch In 2012
. ]
2. Create a response plan in advance.
Likewise, Zappos appeared to have a
data breach notification response plan
already in place. As part of that plan, the company
emailed all employees
with details about the breach, and included a copy of the breach-notification email it then sent to customers.
3. Issue a clear, timely warning.
After Zappos suffered a breach, the company issued a clear, timely notification to its customers, warning them that they should change their passwords on Zappos.com, as well as any other site on which they
reused the same passwords
. On this front, Zappos should be commended for alerting their customers in a timely fashion, said Tomer Teller, a security researcher at Check Point Software Technologies, via email.
4. Secure stored credit card data.
Cryptographically storing credit card numbers is a
Payment Card Industry Data Security Standard
(PCI DSS) requirement. Of course, that doesnt mean every company follows the PCI regulations. Thankfully, however, Zappos apparently did. The good news is that it looks like Zappos credit card information was encrypted or not stored in a way that hackers could use, said Mark Bower of Voltage Security, via email. So this is proof that protection can help with safeguarding customer data in the event hackers get their hands on it. More merchants should be taking these kinds of measures.
5. Notify customers in multiple ways.
When it comes to room for improvement, Zappos could have done more than just email a warning to its customers. Disappointingly, there is no mention of the security breach on the front page of the Zappos website--one platform you would imagine they would use to inform their customers that there was a security problem of which they should be made aware, said Graham Cluley, senior technology consultant at Sophos, in a
blog post
.
6. Think of non-U.S. customers.
For anyone located outside of the United States, as of Tuesday, the Zappos website--including the page for changing passwords--remained inaccessible. Instead, website visitors saw this message: We are so sorry--we are working on a few technical issues before opening up our site to traffic from locations outside the continental United States. We hope to open back up very soon. Zappos spokeswoman Diane Coffey of PR agency Kel & Partners said via email that as a result of preparing their systems for the volume of emails and customers changing their passwords, they are undergoing some system updates and they hope to open up to non U.S. users soon.
7. Tap external sites if necessary.
In its response, Zappos confirmed the site remained offline for non-U.S. users to help cut down on website traffic. But, seriously, how hard is it to host an important message like this on another trusted site? said Cluley. Indeed, Zappos parent Amazon.com arguably
has hosting bandwidth to spare
via Amazon Web Services. Why not tap it?
8. Pick the right breach support channels.
In the breach-notification message sent to employees, Zappos CEO Tony Hsieh said the company was immediately suspending telephone support, would only field customers breach-related queries via email, and would begin related training for all employees imminently. That was likely a smart business move. By asking all employees to pitch in, Zappos customers know that the company is responding to queries as quickly as possible, and arent left stewing in call center queues, if they would even able to get through.
Today, companies
get judged
on the steps they took to prevent a breach, as well as how they respond in the wake of a breach. Zappos preparation is notable, especially when compared with
other major data breaches
from the past year, including
Sony
and
Nasdaq
.
Of course, this isnt the end of the Zappos data breach story. The company has yet to answer many related questions--and may not yet know all of the answers--such as when the breach occurred and how long attackers had access to its systems before the breach was discovered. Furthermore, companies sometimes find after conducting a
digital forensic investigation
that the
breach was worse
than it first appeared. Then again, with proper preparation, sometimes businesses find during their investigation that the breach isnt as bad as it first appeared.
Find out how to create and implement a security program that will defend against malicious and inadvertent internal incidents and satisfy government and industry mandates in our
Compliance From The Inside Out
report. (Free registration required.)

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Zappos Breach: 8 Lessons Learned