Friday, January 20, 2012

Zappos customer data accessed in security breach

Zappos is apparently one of the latest data breach victims.  Or, perhaps their customers are the latest victims.  Zappos feels that that the information was limited in scope, because the entire credit card number was not exposed (that is what they believe).  Many data thieves compile information from many sources to build complete profiles on people.  It just takes some patience and time to put together information that can be sold to the highest bidder.  It is a volume business and the 24 million customers are just bigger targets now.

You may read the CNET article by clicking this link:

There is no perfect solution, the mice get smarter and the traps more complex, but in time unless there is a proactive approach, “they” will get in and the damage will be done.

Here is the big message in the article and it applies to everyone, not just Zappos:

"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident" Hsieh wrote in the letter.

An organization builds their reputation one satisfied customer at a time.  It takes years of effort to ensure your customers are happy.  It is evidenced by the referrals you get.  Then, in an instant your well earned reputation is gone. 

The data breach notification is the tip of the ice berg.  The piracy may have actually been going on for a time and the breach turns on the lights.  Other times it may be a single event.  As far as your customer cares, it puts them in jeopardy.  The only thing slightly in your favor is that people not directly affected are becoming numb to these news stories.  Never thinking it would happen to them, until it does and your company gets the blame and loss of business.

The bad publicity comes. The regulators come.  The forensic people come.  The remediation comes.  Then you try to rebuild your business. 

What comes after an event like this is what should have been in place in the first place.  A Written Information Security Program (WISP) plan.  You may think of a WISP plan in these simple terms.  It is a fire drill for a data breach.  You plan, practice, and protect hoping that you will never use what you have learned, but in the case when it is needed, it saves your life. 

A WISP plan is not a static document that sits on a shelf collecting dust.  That is what makes it different and what satisfies and creates a defensible position with the regulators.  A WISP plan involves a risk analysis of your organization and appropriate, best practice, measures are implemented.  It is different and scales for each organization.  Every company has some exposure, some more than others.

No one can promise you anything, not even us, but you should contact Dolvin Consulting to determine your Risk Quotient.  You cannot hide your head in the sand.  It is your responsibility to find out what you can to protect yourself and your customers, supplier, and employees.  Contact us today to see how we can help you mitigate the risks associated with the private information you are responsible for.


  1. The full extent of the damage inflicted during the Zappos data breach event is at present unknown and it will be quite some time before we do find out exactly what was compromised, if we ever do. Still, what we do know even now is that it could've been much worse, because the hackers were unable to access the database storing the most valuable part of the online retailer customers' profiles: their payment-related information. I can only hope that it wasn't dumb luck that protected it and I also hope that we will eventually learn if it was.

    1. They did get lucky, for now. Unfortunately, data thieves are smart enough to take their time and assemble bits and pieces from multiple sources to eventually build complete profiles. This can take any amount of time and they just keep going.

      Since there is no perfect mouse trap, the bigger question is, would a working WISP plan and all the planning that accompanies it have made a difference in response time or extent of breach?

      Perhaps they did have a working plan and that is why they say it was only a partial breach.

      Is that possible, a partial breach?