Zappos hacked: 24 million accounts at risk

(MoneyWatch) 

Online retailer Zappos announced late Sunday that criminal hackers broke into its systems and had access to personal information on potentially more than 24 million customer accounts. That would make this the largest data breach since hackers got into Sony's PlayStation Network last year.

Zappos is emailing customers to tell them that information such as names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, as well as encrypted versions of account passwords might have been compromised in the breach. Zappos reset all passwords to prevent further unauthorized access. It also claimed that full credit card numbers and other payment information (which is stored in a separate database), was unaffected and not accessed.

How quickly can you hack the PlayStation Network again? Try 2 days
Sony plays its chump card: Lack of security makes the Xbox look good

Zappos' discounting site 6PM.com was also hacked when attackers broke into a Kentucky data center. The same types of information were compromised in that attack and the site alerted its users.

Zappos is also turning off its customer service telephone lines so customers will have to email any questions instead. What underscores the serious nature of that step is the lengths to which the company has gone at times to satisfy customers, including free returns with no questions asked.

Even if no full credit card numbers were stolen, the amount of information that may have been stolen is significant. Knowing such information as a name, address, phone, and just the last four numbers of credit cards (often used by companies to verify identity over the phone) could be enough for criminals to steal identities.

While this is bad news for both the business and millions of customers, it is potentially a black eye as well for Amazon.com (AMZN), which owns Zappos. CBS MoneyWatch emailed both companies and is waiting for the answers to a number of questions, including the following

-- When exactly did Zappos learn about the attack and data loss?

-- Was data on all 24 million customer accounts taken, or is that a precaution and does Zappos not know exactly how much was obtained?

-- When did Zappos inform Amazon about the problem?

-- To what extent do Zappos and Amazon share computer and network systems?

-- Was the Kentucky data center owned and operated by Amazon, or was it a third party?

-- Is Amazon currently reviewing its own security procedures and strategy?

-- Is Amazon reviewing the security procedures and strategy of other companies it has acquired?

We'll update this story with answers as we get them.

[Update: Zappos forwarded our questions to a PR firm, which responded "Beyond the information in the letter to employees from CEO, Tony Hsieh, which can be found here, there is no additional information to add and we are not doing interviews at this time."

So, there is no way yet to know when Zappos first became aware of the problem and what, if any, delay there was before informing customers. Zappos also leaves open questions of whether there was evidence that data was actually taken or exactly how many of the 24 million customer accounts were in fact compromised as a result.]

[tikrit01]

I am so surprised that people are defending Zappo's, credit card companies, and <a href="http://www.safemerchantaccount.com>merchant accounts</a> and just saying that consumers should call Mastercard and get new cards. When there is fraud on your card it isn't as easy as saying someone else used it. It can take months for the funds to be returned which can be a hardship on many families. It's not ok that this happened, and their response is even more atrocious.

[JamesStein]

Zappos is giving everyone a lesson on managing a data breach that everyone who may ever have to deal with the problem should look to for guidance. There is a lot to be learned. People understand that such things happen and, unless you've been egregiously lax in protecting their account information, will give you the benefit of the doubt. How you respond to the crisis will be what determines whether or not the issue is resolved with minimal damage or it deteriorates into a PR disaster.

As I said, Zappos is giving us a real-time lesson on how to do crisis management properly and we should all be taking notes. For a more detailed analysis: <a href="http://blog.unibulmerchantservices.com/zappos-is-giving-us-a-lesson-on-managing-a-data-breach">http://blog.unibulmerchantservices.com/zappos-is-giving-us-a-lesson-on-managing-a-data-breach</a>

[tubesntele]

Uhh, Zappos is lying about the extent of the information released. I've had 4 fraudulent transactions on my debit all yesterday. One vendor told me this morning that my debit card information was given to them over the phone, not online. Someone has my debit card info and low and behold, I have a Zappos account. This is obviously not a coincidence. I've never had any fraud on a bank account until Zappos get hacked and I have four fraudulent transactions in a 24-hour period. The four transactions were to different vendors, so it's not like someone stole my account info for one online vendor. They have my debit card info. Of course, I've already cancelled the debit card and have a new one, but not before these crooks charged a couple hundred bucks to my account.

Zappos is lying.

[eriksherman]

Sorry to hear about the fraud. It still could be a coincidence, but the issue of online versus phone is one reason why having personal data stored in the clear is such a problem. It doesn't take that much info to let someone use social engineering to get additional details.

[Jaylah54]

This would be why I absolutely refuse to do business with any on-line merchant that offers to "store my account information" for me.

[ToolMangler1]

Anonymous wonders 'why' they are hated????? Because they are thieves and criminals... Anything that hits the internet for any reason is stored on a HDD in washington DC and Langley, Va for later decryption and analysis. That is why Matter transmission can never be allowed on commercial cumminications lines, (To quote E.E.(Doc) Smith, "If you listen in, you get duplicates") They are currently trying to develop that method of shipping right now.

[longtree-2009]

never heard of zappos. but know amazon. fact is nothing is safe from hackers be they home grown or of a foreign nation. hackers have gotten into the pentagon, banks, medical facilities, and more. don't know of anyone or any company or any government that is safe from hackers. there are no strict laws against hackers and no punishment if caught. hackers rule.

[hypnotoad72]

It doesn't help when source code is openly shared as well...

http://www.zdnet.com/blog/security/does-microsofts-sharing-of-source-code-with-china-and-russia-pose-a-security-risk/6789

Governments should all have their own systems, made from the ground up, made with security provisions. (that doesn't eliminate the possibility of leaks, but relying on cheap off-the-shelf software made as quick'n'dirty as possible because if it's not on the shelf it's not generating profit but I digress certainly hasn't proven very effective either... )

[Samlv]

So, WHY is there no law which says if my account was involved I get paid $100 or $500 for having to go through a credit card re-issue and I must be alerted?

Our legal system really needs to catch up with the digital age.

[hypnotoad72]

Assuming those presiding over the legal system understand the digital age and are not bought out by the highest bidder... or blindly running into things (e.g. "cloud computing", and they don't even say "private cloud" so it's clear they're not entirely understanding of it...)

And why should you get paid? You didn't work for it... it's also your account so it's up to you (rather than the bank business that holds it) to ensure its validity. (Sorry, I had to parrot what so many undoubtedly would say...)

[venusvegasvada]

Our personal info and privacy laws concerning business use is totally backwards. How did it get this way? Where our information is considered the property of who ever gets it?

If you buy a car there are car companies that will sell your personal info to third parties if you don't tell them not to. Not the other way around, where they have to ask your permission.

Online info collected is out of control. Even if you use PayPal for privacy because you don't have to give them any personal info when you use PayPal (that's why you use it), companies still feel that it's their right to demand all of your personal info. Address, birth date, telephone numbers and on and on. It's out of control. You buy a pizza these days and everybody wants all of your personal info. It sucks.

Here's the killer. When you cancel an account with anyone you don't have any control of your personal info. What happens to it? Nobody send you and email notifying you that your personal info was totally wiped from their servers do they? No they don't. No website has a "kill info" button on your settings that 100% erases all your info from their servers.

I'd like to see the Govt. do something where people have and maintain full control over their personal information. This is not the system we should have.

[Samlv]

Good luck canceling anything which is a subscription. The companies which sign you up, for some strange reason (sic) have zero staff and no process for you to cancel.

[hypnotoad72]

Samlv is correct.

But, yeah, the system is totally backwards.

Even the patent "reform" bill - which most people out here in real life know more about.

http://www.techdirt.com/articles/20110906/19492915835/congress-moves-forward-with-useless-patent-reform-that-wont-fix-any-real-problems.shtml

http://www.computerworld.com/s/article/9217905/House_approves_patent_reform_bill

(which even gets into cool tangents, such as: ""The bill essentially will give large banks a special new bailout at the expense of small inventors and the American taxpayer, and even worse, would do so on a retroactive basis," Conyers said on the House floor.")

http://arstechnica.com/tech-policy/news/2011/09/mostly-pointless-patent-reform-bill-goes-to-obama-for-signature.ars

http://www.wired.com/threatlevel/2011/09/obama-signs-patent-reform-bill-crustless-sandwich-still-patented/

http://www.fastcompany.com/1779071/first-to-file-a-patently-obvious-reform
(Note how only the big corporations are cheering it... and if you want to play, sure: Just have the money to patent something before somebody else does. Now ask why wages remain stagnant and not keeping up with inflation... A loose association? Probably... )

http://techrights.org/2011/03/04/patent-reform-act-of-2011/

[FreedomRadiox]

So Zappos turns off its customer service telephone system after the hack????? Brilliant. Just the type of company I would never ever do business with.

[eriksherman]

I actually have some sympathy for why they would turn off the phones - they knew they'd get buried in calls when all they could do is tell them exactly what they had emailed. That said, yup, it's not going to look good for a company that has tried to use customer service as a differentiator.