Inc. has called it “an e-commerce juggernaut” because of the way CEO Tony Hsieh has used relentless innovation, stellar customer service, and a staff of believers to make Zappos one of the most “blissed-out businesses in America.” But even juggernauts are susceptible to hackers.
On Sunday Hsieh sent an email to employees alerting them that a criminal had gained access to parts of its internal network. While he stressed that the hacker didn't get into the database that stores critical credit card and other payment data, the breach did involve customer information such as email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and customers’ cryptographically scrambled passwords.
The company is doing pretty much the only thing it can to minimize the damage after the fact: recommending that its more than 24 million customers not only create a new password on the Zappos site, but also change their passwords on other sites where they use the same or similar password. While security experts always caution people to use a unique password for every website, the reality is that many people don’t for lack of a good system to remember them.
The bad news is, personal data stored on the Internet is often more valuable to criminals than credit card numbers. The Zappos breach could result in attacks on customers not only now but also months down the road, Fred Cate, director of the Indiana University Center for Applied Cybersecurity Research, told ZDNET.
“It’s pretty easy if you have an electronic data set to break all but the most rigorous [password] encryption. So if you suddenly had names, last four digits and passwords, you would have a real treasure trove. Then the most logical attack is not phishing, it is attacking those accounts where the user already does business.”
For instance, with all that information hackers could impersonate someone or pretend to be a company you do business with.
In the email to customers, Zappos warns to "exercise caution if you receive any emails or phone calls that ask for personal or account information or directs you to a website where you are asked to provide personal information.”
There’s sure to be fallout for Zappos itself. In the short term, the company must have an administrative nightmare on it hands, not to mention a drop in business while the company and its customers take actions to lock things down again.
Want to keep your company from landing in Zappos’ unenviable position?
According to former hacker turned security expert Kevin Mitnick, big and small companies face the same security challenges and dealing with them doesn't require massive resources or IT departments. Here are a few tips for small businesses that he shared with CBS Money Watch:
Get some baseline protection. It can be hard to detect an intrusion until it’s too late, as Zappos just learned. Mitnick says there are several tools on the market for SMBs. Cisco and others offer integrated services routers (ISR), which integrate routing, firewalling, intrusion detection, VoIP solutions and wireless networking, starting at around $1,000.
Monitor what's going out, as well as what's coming in. You probably already have some type of firewall for incoming traffic. But what about outgoing connections? Your computers could be at risk of malware that connects back to the attacker. According to Mitnick, antivirus software is only 60 percent effective at detecting and eliminating malicious code. To help with this, he recommends reducing the number of services a user can connect to outside the company by configuring the firewall to restrict outgoing traffic to what's necessary to do business.
Desktop software is often out of date. Individual desktops, not just servers, are now common targets. Hackers know that businesses rarely update the client application software on individual workstations. Small businesses can be particularly easy marks for these kinds of attacks. Tools like Secunia's Corporate Software Inspector automate software updates on user desktops, although they can cost a couple thousand dollars.
People can be the biggest problem. Studies have shown that most security incidents start from within. Sophisticated hacks use social engineering that predicts or manipulates human behavior to trigger the exploitation of desktop application security flaws. What may help is better employee training. One clever way is by simulating attacks, using an Internet Security Awareness Training program, which costs about $15 per person per year.
In the end, though, it's hard to know what Zappos could have done differently.
PCWorld points out that Andrew Storms, director of security operations at nCircle, says, “There’s almost no information about the attack method used to infiltrate Zappos so it’s way too early to point fingers or throw stones at their security practices.”