In acknowledging a data breach in which information related to as many as 24 million customers was stolen, online shoe and clothing retailer Zappos has taken assertive steps, including compelling customers to change passwords, plus temporarily foregoing 800-number phone service in an effort to redeploy customer-service representatives to respond to customer email.
These steps are all part of the breach response strategy undertaken last Sunday as Zappos CEO Tony Hsieh posted an open letter online to Zappos employees about a "cyberattack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky." In this open letter, Hsieh wrote, "The most important focus for us now right now is the safety and security of our customers' information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help them through the process of choosing a new password for their accounts," adding that the existing customer passwords had been terminated.
Overall, the Zappos response strategy is "not a good idea," contends John D'Arcy, assistant professor of information technology at the University of Notre Dame. The Zappos decision to terminate customer password access creates a situation that makes it appear "it's a panic mode" and would likely create a sense of panic. "Maybe they went overboard," he says. He says the motivation for the attack is probably to gain information to sell to competitors on the black market. However, phishing attacks to try and steal more customer information are also a possibility.
This article also appeared in PC World and CIO Australia.