Lessons You Can Learn From Zappos’ Data Breach

Jan 20, 2012 12:48 AM  By

Last week, a Zappos employee on its security team who protects customer payment card information (PCI) data arrived safely home and thought his or her job was done. However that person forgot that customer personally identifiable information (PII) data is also attractive to hackers. And voila – Zappos is now painted with the same humiliating brush as Sony, Nintendo, Stratfor, AT&T, and others.

It seems the hackers got only the last four digits of the credit card numbers – so let’s assume they were PCI compliant – job done. But this is how hackers work – you lock down something (like credit cards, for PCI) and they go after the next easy target, which is the PII data.

This is a warning for other merchants that choose to focus on only PCI (by encrypting or tokenizing their credit cards – because they have to) and either ignore or only have access control for PII data.

When are businesses going to realize that access control is not good enough – you have to get down to business and protect the actual data?

There is an interesting trend with hacks of this type. The burden gets put on the customer, and customers need to tighten up their passwords. This is pushing the problem to your most important asset – your customer. It’s the customer who must wear security armor before shopping at the merchant. Effectively saying, “Don’t come into my store unless you have secured passwords and wear a bullet proof vest.” Does this sound like good way to do business?

What lessons can merchants learn from the Zappos experience?

  • Focusing on passwords is not enough. Don’t burden your customers with frequent changes to their passwords. And worse frequent internal changes to access control passwords … a dishonest employee can share a password with … anyone! If passwords are your strategy for protecting the crown jewels of your company (PCI, PII, PHI data), you should be job hunting.
  • Protect PCI, PII or PHI data by tokenizing it. Tokenizing is the most reliable way to protect this data. It reduces the probability of this type of hack by more than 99%. No matter how long your passwords are, they are easily copied and emailed to bad guys by dishonest or disgruntled employees. Don’t give them the access in the first place.

What should merchants do?
Merchants need to make the connection between data protection and data value, a move driven at least in part by an increasing number of security-related class action suits across the United States and Europe. New legislation is focused on data protection, and the ever-present need to be sensitive to expenses due to global economic challenges.

Merchants also need to recognize that security is about more than compliance and start to move away from the “knee-jerk, just pay what it costs” approach to security. It’s about customer not only feeling, but knowing, that their data is safe. Security measures will begin to be evaluated in much the same way as other company expenditures, keeping cost vs. benefit (customer value) ratios firmly in mind.

The lessons like the ones that Zappos learned are exceptionally valuable for all merchants that have not suffered an attack (yet!). Since the CEO’s book is titled “Delivering Happiness,” I was curious to see how Zappos would handle the breach. You can’t always deliver happiness when happiness doesn’t come in the form of good news.

Ulf Mattsson is chief technology officer at data security solutions provider Protegrity.