Zappos Breach’s Payment Card Pledge Very Risky

Written by Evan Schuman
January 18th, 2012

When Amazon’s Zappos apparel unit (and its sister site, announced on Sunday (Jan. 15) that more than 24 million customers had their information potentially stolen from its site, Zappos took the radical—but wise—move of wiping out all of its passwords. That caused massive disruptions to the company, shutting down customer service phone access and access to the site from outside the U.S., in addition to inconveniencing all customers.

But it was the unequivocal declaration that payment systems had not been touched that raised eyebrows. At this early stage of a breach investigation—knowing that cyberthieves tend to be quite good at hiding their tracks and creating misleading tracks—is such a blanket promise to customers reckless?

In a publicly disclosed employee E-mail, Zappos CEO Tony Hsieh said—and the uppercase used here is what he used in the E-mail—”we can say that THE SECURE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.”

Had he said “We have no reason to believe payment card systems were affected or accessed” or “The initial investigation has discovered no evidence—nor even vague hints—that any of our payment systems have been touched,” no problem. But to make a declarative statement that specific sensitive systems were, indeed, untouched seems needlessly risky.

The attack itself, according to the Zappos E-mail, was done “by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky.” It’s not clear if the reference to “a criminal” means that the company believes it was a single attacker. It’s more likely that the E-mail may not have been phrased that precisely.

The information accessed included name, E-mail address, billing/shipping addresses, phone numbers, last four digits of payment card number and “your cryptographically scrambled password (but not your actual password).” That last reference was presumably intended to comfort consumers that their passwords aren’t necessarily known, but with rainbow table lists, there should be no comfort in the phrase. Access would likely be available.

By taking the bold move to reset and expire all passwords, the CEO threw the company into planned chaos. Given that phone calls would quickly overwhelm the call center, customer service phone access was cut off while “all employees at our headquarters, regardless of department, (are being asked) to help with assisting customers.”

The inconvenience to customers was hardly trivial; the Zappos site does not allow guest accounts—meaning that all purchases must be from a password-protected account. In other words, if someone didn’t feel like taking the time to reset his or her password, no purchase was permitted. Site access from outside the U.S.—even to reset the password—was also denied, at least initially. It’s not clear how long the non-U.S. restrictions will last, nor how widespread they were. Connections from Canada on Wednesday (Jan. 18), for example, were working fine.

The original E-mail statement said that Zappos was “recently the victim of a cyber attack,” but it didn’t quantify “recently.” Some of the applause for Zappos for having quickly described the situation to customers may prove premature. The incident, for example, might turn out to have happened months earlier.


One Comment | Read Zappos Breach’s Payment Card Pledge Very Risky

  1. Jay Gould Says:

    Zappos is giving everyone a lesson on managing a data breach that everyone who may ever have to deal with the problem should look to for guidance. There is a lot to be learned. People understand that such things happen and, unless you’ve been egregiously lax in protecting their account information, will give you the benefit of the doubt. How you respond to the crisis will be what determines whether or not the issue is resolved with minimal damage or it deteriorates into a PR disaster. As I said, Zappos is giving us a real-time lesson on how to do crisis management properly and we should all be taking notes.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.