Popular online shoe retailer Zappos.com alerted its employees and customers of a data breach that allowed hackers to see shoppers' personal information, but not their credit card numbers. In a posting on his company's public blog, Zappos CEO Tony Hsieh advised employees to set aside at least 20 minutes to review information about the cyber attack, and to assure customers that payment data was stored in systems separate from the Kentucky server farm that hackers accessed.
Calling the event "painful," Hsieh admitted that hackers accessed customers' names, e-mail addresses, and phone numbers, along with their physical addresses and the last four digits of their credit card numbers. In addition, hackers accessed cryptologically scrambled versions of customers' passwords. Like many websites, Zappos' login form uses a secret algorithm to obscure each users' real password, even within its own system. That industry best practice prevents internal theft, while protecting customers who prefer to use the same password on multiple websites.
With the company's phone system unable to sustain the potential volume of calls about the attack, Hsieh alerted employees that Zappos.com would move its entire customer service operation to e-mail for a day or two. Upon restoration of inbound phone service to the company, employees will have completed detailed training designed to help customers select new, secure passwords for their online shopping accounts.
Even though no customers' account numbers fell into the hackers' possession, investigators suggest that Zappos' 24 million customers may want to examine their bank statements with extra vigilance. Some fraud rings use consumers' personal information in "phishing attacks," attempting to convince a target to surrender crucial information, such as Social Security numbers or online banking passwords. Likewise, criminals have been known to use similar personal details to find locations where fraudulent items can be shipped without detection or interference.
Most credit cards offer automatic purchase protection programs, leaving customers liable for a maximum of $50 in fraudulent transactions. However, prepaid debit cards and payment cards linked to bank accounts often provide only limited protection against fraud or theft.