What Companies can Learn from the Zappos Breach

Companies are under siege from cyberattacks more than ever, with news of data breaches, phishing attacks, and other digital security exploits nearly a daily occurrence. So when news broke that online retailer Zappos (now owned by Amazon) had been the victim of a new cyberattack, I'm sure we shrugged our shoulders and collectively said "Here we go again." While the full details of the how and why of the Zappos attack are still to emerge, an email from Zappos CEO Tony Hsieh to employees earlier this week stated that "We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky." Zappos immediately issued a forced password reset of all 24+ million customer accounts, and also sent an email to consumers telling them about the breach, advising them to reset their passwords, and pointing them to additional resources for information. I think Zappos handled the breach better than most, and could serve as a good example for other companies to follow. Companies that are slow to reveal an attack to their customers, or hide their heads in the sand, or immediately set out with a blame-shifting strategy deserve to be criticized. ESET Security Researcher Cameron Camp goes into more detail about what Zappos did right in a blog post over at the ESET Threat Blog, and I'd suggest that Camp's post should be required reading for the CEO, CISO, and IT/PR departments of every company that maintains a database of customer information. Here's one especially good bit of advice that Camp offers to any company who wants to maintain good relationships with their customers after a breach: Tell users where to find more information: [Zappos] put up a special website to disseminate information as it becomes available. This does two things: 1) established a central clearinghouse for relevant information, and 2) reduced the repetitiveness of the requests their support staff may r

Jeff James

January 18, 2012

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Companies are under siege from cyberattacks more than ever, with news of data breaches, phishing attacks, and other digital security exploits nearly a daily occurrence. So when news broke that online retailer Zappos (now owned by Amazon) had been the victim of a new cyberattack, I'm sure we shrugged our shoulders and collectively said "Here we go again."

While the full details of the how and why of the Zappos attack are still to emerge, an email from Zappos CEO Tony Hsieh to employees earlier this week stated that "We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky." Zappos immediately issued a forced password reset of all 24+ million customer accounts, and also sent an email to consumers telling them about the breach, advising them to reset their passwords, and pointing them to additional resources for information. I think Zappos handled the breach better than most, and could serve as a good example for other companies to follow. Companies that are slow to reveal an attack to their customers, or hide their heads in the sand, or immediately set out with a blame-shifting strategy deserve to be criticized.

ESET Security Researcher Cameron Camp goes into more detail about what Zappos did right in a blog post over at the ESET Threat Blog, and I'd suggest that Camp's post should be required reading for the CEO, CISO, and IT/PR departments of every company that maintains a database of customer information. Here's one especially good bit of advice that Camp offers to any company who wants to maintain good relationships with their customers after a breach:

Tell users where to find more information: [Zappos] put up a special website to disseminate information as it becomes available. This does two things: 1) established a central clearinghouse for relevant information, and 2) reduced the repetitiveness of the requests their support staff may receive.

Camp stresses that companies should release information quickly about cyberattacks to their customers, a move that can have positive benefits down the road. "Acting quickly and decisively can work wonders toward restoring that confidence, as customers sense they are receiving current, relevant, and honest communication about the incident," Camp writes. "Still, restoring confidence can take years, but this style of communication can make things much better."

So what do you think about the aftermath of the Zappos attack? Feel free to add a comment to this blog post or contribute to the discussion on Twitter.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like