Zappos Breach’s Payment Card Pledge Very RiskyWritten by Evan Schuman
When Amazon’s Zappos apparel unit (and its sister site, 6pm.com) announced on Sunday (Jan. 15) that more than 24 million customers had their information potentially stolen from its site, Zappos took the radical—but wise—move of wiping out all of its passwords. That caused massive disruptions to the company, shutting down customer service phone access and access to the site from outside the U.S., in addition to inconveniencing all customers.
But it was the unequivocal declaration that payment systems had not been touched that raised eyebrows. At this early stage of a breach investigation—knowing that cyberthieves tend to be quite good at hiding their tracks and creating misleading tracks—is such a blanket promise to customers reckless?
In a publicly disclosed employee E-mail, Zappos CEO Tony Hsieh said—and the uppercase used here is what he used in the E-mail—”we can say that THE SECURE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.”
Had he said “We have no reason to believe payment card systems were affected or accessed” or “The initial investigation has discovered no evidence—nor even vague hints—that any of our payment systems have been touched,” no problem. But to make a declarative statement that specific sensitive systems were, indeed, untouched seems needlessly risky.
The attack itself, according to the Zappos E-mail, was done “by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky.” It’s not clear if the reference to “a criminal” means that the company believes it was a single attacker. It’s more likely that the E-mail may not have been phrased that precisely.
The information accessed included name, E-mail address, billing/shipping addresses, phone numbers, last four digits of payment card number and “your cryptographically scrambled password (but not your actual password).” That last reference was presumably intended to comfort consumers that their passwords aren’t necessarily known, but with rainbow table lists, there should be no comfort in the phrase. Access would likely be available.
By taking the bold move to reset and expire all passwords, the CEO threw the company into planned chaos. Given that phone calls would quickly overwhelm the call center, customer service phone access was cut off while “all employees at our headquarters, regardless of department, (are being asked) to help with assisting customers.”
The inconvenience to customers was hardly trivial; the Zappos site does not allow guest accounts—meaning that all purchases must be from a password-protected account. In other words, if someone didn’t feel like taking the time to reset his or her password, no purchase was permitted. Site access from outside the U.S.—even to reset the password—was also denied, at least initially. It’s not clear how long the non-U.S. restrictions will last, nor how widespread they were. Connections from Canada on Wednesday (Jan. 18), for example, were working fine.
The original E-mail statement said that Zappos was “recently the victim of a cyber attack,” but it didn’t quantify “recently.” Some of the applause for Zappos for having quickly described the situation to customers may prove premature. The incident, for example, might turn out to have happened months earlier.