Online retailer Zappos announced late Sunday that criminal hackers broke into its systems and had access to personal information on potentially more than 24 million customer accounts. That would make this the largest data breach since hackers got into Sony's PlayStation Network last year.
Zappos is emailing customers to tell them that information such as names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, as well as encrypted versions of account passwords might have been compromised in the breach. Zappos reset all passwords to prevent further unauthorized access. It also claimed that full credit card numbers and other payment information (which is stored in a separate database), was unaffected and not accessed.
Zappos' discounting site 6PM.com was also hacked when attackers broke into a Kentucky data center. The same types of information were compromised in that attack and the site alerted its users.
Zappos is also turning off its customer service telephone lines so customers will have to email any questions instead. What underscores the serious nature of that step is the lengths to which the company has gone at times to satisfy customers, including free returns with no questions asked.
Even if no full credit card numbers were stolen, the amount of information that may have been stolen is significant. Knowing such information as a name, address, phone, and just the last four numbers of credit cards (often used by companies to verify identity over the phone) could be enough for criminals to steal identities.
While this is bad news for both the business and millions of customers, it is potentially a black eye as well for Amazon.com (AMZN), which owns Zappos. CBS MoneyWatch emailed both companies and is waiting for the answers to a number of questions, including the following
-- When exactly did Zappos learn about the attack and data loss?
-- Was data on all 24 million customer accounts taken, or is that a precaution and does Zappos not know exactly how much was obtained?
-- When did Zappos inform Amazon about the problem?
-- To what extent do Zappos and Amazon share computer and network systems?
-- Was the Kentucky data center owned and operated by Amazon, or was it a third party?
-- Is Amazon currently reviewing its own security procedures and strategy?
-- Is Amazon reviewing the security procedures and strategy of other companies it has acquired?
We'll update this story with answers as we get them.
[Update: Zappos forwarded our questions to a PR firm, which responded "Beyond the information in the letter to employees from CEO, Tony Hsieh, which can be found here, there is no additional information to add and we are not doing interviews at this time."
So, there is no way yet to know when Zappos first became aware of the problem and what, if any, delay there was before informing customers. Zappos also leaves open questions of whether there was evidence that data was actually taken or exactly how many of the 24 million customer accounts were in fact compromised as a result.]