Security Experts:

The Zappo's Breach - When Bad Things Happen to Good Companies

Who doesn’t love Zappos? They are one of the friendliest Internet stores in the US. Zappos started in 1999 by Nick Swinmurn, a truly great guy, who grew the company to $1 billion in sales by 2008.

It has been a few years, but I still remember those giant boxes of Zappos shoes my wife and daughter would order – lots of styles in several sizes each. The shoe ceremony would take an hour, with all but two, maybe three pair being returned with a pre-paid shipping voucher. We are a Zappos family.

In the middle of January, Zappos suffered a data breach of over 24 million customer records. As a point of reference, 24 million is about the population of Texas, the second most popular state in the US. Bad things do happen to good companies. In an obviously difficult statement, Tony Hsieh, Zappos’ current CEO, shared his feelings, “We've spent over 12 years building our reputation, brand, and trust.… It's painful to see us take so many steps back due to a single incident.”

Like the ripples from a pebble thrown into a pond, the after-effects of the Zappos breach just seem to cover so much ground; one wonders where it will all stop.

First Response

It has been said that the golden rule of any potential company PR disaster is to disclose as much information as possible as quickly as possible. Zappos’ Hsieh heeded this rule and played his CEO role with class. His first email, released the day the breach was discovered read as follows:

Subject: Important – Security

Dear Zappos Employees -

Please set aside 20 minutes to carefully read this entire email. We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with the FBI to undergo an exhaustive investigation.

Because of the nature of the investigation, the information in this email is being sent a bit more formally, and unfortunately we are not able to provide any more details about specifics of the attack beyond what is in this email and the link at the end of this email, but we can say that THE SECURE DATABASE THAT STORES OUR CUSTOMERS' CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.

The most important focus for us is the safety and security of our customers' information. Within the next hour, to ensure a greater level of security, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We've already reset and expired their existing passwords.)

In an equally sincere email to the entire 24 million customer list, Hsieh says:

Subject: Information on the Zappos.com site - please create a new password

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The secure database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password.

Please see the link at the end of this message to create a new password.

As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information. We also recommend that you change your password on any other web site where you use the same or a similar password.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password. Please create a new password by clicking on the link below: http:// [we will provide a secure, unique link for each customer]

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com.

Client Data in Malicious Hands

In any security breach, it’s all about the data. Unfortunately, while the cyber thieves didn’t get full credit card information, they did grab some information that will plague those 24 million customers today and years down the road:

• name • e-mail address

• billing and shipping addresses

• phone number

• last four digits of the credit card number (the standard information found on receipts)

• cryptographically scrambled password (not the actual password).

The subtle note some customers may have missed in Hsieh’s email to them is the fact that the cryptographically scrambled passwords may not have been so hidden. Zappos’ did the correct security thing in storing passwords in an encrypted form (just look in chapter two of the security 101 handbook). The problem is that any database, even an encrypted database, in the hands of clever technical cyber criminals is potentially crackable. Zappos and each of the 24 million clients need to assume their passwords were compromised.

As Hsieh tried to tell his customers – it could have been worse. In a lot of ways, he’s correct; it could have been a whole lot worse, but that doesn’t make “less-worse” any better.

The Unlucky 24 Million?

Each of those unlucky 24 million Zappos customers need to take pro-active action now. The cyber dangers each will face run along three fronts:

• Identity theft

• Phishing attacks

• Compromised secondary accounts

Identity Theft

Identity theft takes many forms. While almost any piece of personal information can be used in an identity theft scam, a person’s name, address and phone number is a great beginning for any identity thief. Zappos just provided 24 million starter kits.

Phishing Attacks

The heart of any phishing scam is the credibility that is achieved through making the phishing email recipient believe the email is genuine. Credibility is achieved through details that only a trusted company would know like your name, address and phone number.

One key piece of stolen information that may make future phishing scams far more effective is the last four digits of the customer’s credit card number. Whether bricks-and-mortar receipts or confirmation emails, this information seems to have become a key to establishing legitimacy.

In the next few days, or even months from now (the attention span of the American public is measured in days), Zappos customers may start receiving phishing emails that will convince them to give up even more personal information, perhaps credit cards. These phishing emails will appear to have come directly from Zappos.

Compromised Secondary Accounts

One of the most security-dangerous acts that consumers commit is the reuse of passwords. In an amazingly revealing study of on-line banking accounts, it was found that close to 50% of all users reuse their login ID and password on other accounts.

What this means is that millions of the login ID/passwords combinations stolen from Zappos are in use on other, high-profile accounts across the Internet. It is a given that there are automated scripts running right now that are testing out those login ID/passwords combinations against PayPal, Schwab, Amazon and hundreds of other websites where there is money to be made.

Insult to Injury

As if this major embarrassment and impending loss of business were not enough, at least one opportunistic individual has decided to torture Zappos even more.

In the lawsuit, Stevens v. Amazon.com Inc., filed Monday in the U.S. District Court for the Western District of Kentucky, attorneys for Theresa D. Stevens claim that the defendants were entrusted with "safeguarding plaintiff's and class members' PCAI [personal customer account information]" and are in violation of the Fair Credit Reporting Act. The suit alleges the defendants failed to adopt and maintain adequate procedures to protect information and limit its dissemination only for the permissible purposes set forth in the Act.

The defendants' actions also "constitute common law invasion of privacy by the public disclosure of private facts and common law negligence," the suit argues.

The suit states, "Plaintiff and class members are entitled to compensation for their actual damages including ... expenses for credit monitoring and identity theft insurance, out-of-pocket expenses, and other economic and non-economic harm, or statutory damages of not less than $100, and not more than $1,000, each, as well as attorneys fees, litigation expenses and costs, pursuant to [the Act]."

Lessons Learned

However unfortunate, the Zappos breach is not new or unique. It’s only the magnitude and the high-profile visibility that makes it front page news. Until information on how the hack was executed comes to light, we can only assume Zappos was as good, perhaps better than most on-line retailers as far as security is concerned.

Hsieh’s immediate and complete disclosure was refreshing – given it is often the case where data breaches are often withheld from the public (or never discovered).

Perhaps the real wake-up call is to the public. The lessons they might take away from this breach might be:

Watch your passwords – It is a guarantee that reusing passwords will eventually bite you in the butt. The best approach is to have a unique password for every account; an alternative might be to have multiple passwords, one each for all financial institution accounts, one for all on-line retail stores, and one for social networks.

Be careful of Phishing scams – Your personal information is being leaked (perhaps poured) at an ever alarming rate. Consider every email as a potential scam and work from there.

Use a Cyber Credit Card – Zappos was clever with their separation of personal and financial databases so credit card information was not stolen. Other on-line retailers won’t be. I would strongly suggest you use a single credit card for just your on-line shopping – maybe a debit card with a low limit.

Just another day in the cyber wars.

Subscribe to the SecurityWeek Email Briefing
view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.
view counter