Zappos Zapped


Zappos.com a subsidiary company of Amazon whose internal network was hacked into January 15, 2012 by an undetermined number of crackers. The result of this attack was the loss of roughly 24 million customers data which is about one in ten people in the United States. The data that was lost is customer included the names, e-mail addresses, last four digits of credit card numbers, encrypted passwords, and shipping addresses.
After the attack occurred Zappos.com told customers and made it public news that they had been breached. This was all in order to make it known to customers that they needed to change their passwords as well as to inform them about good security practices for the immediate future in hope that they might not fall for phishing schemes. Then to avoid an overload on their phone systems they shut down their customer service line and told customers to e-mail them instead with questions. Which many outside experts agree was a good move because Zappos.com does not have the necessary resources to handle the calls from even a small fraction of the customers affected.
In the wake of this Amazon and Zappos.com are being sued by an increasing number of angry customers who feel that they have been violated. However, the Zappos security team was able to stop the attack while it was occurring and keep safe customers social security numbers as well as their full credit-card number. This is important because the only similar case in which the courts ruled in favor of the customers was the 1st circuit decision in the Hannaford case. There is though a large difference in these cases the Hannaford case was won by the customers because their credit-card numbers were stolen. This was not the case in the Zappos.com breach. Not to mention there has not been any cases of identity theft yet because of this breach and no know cases of fraud yet. In short the cases might be dropped by the court.
Unfortunately for Zappos.com and Amazon have received damage to their reputation. Then there is the fact that even though the information stolen is not the most valuable information it still is a goldmine for social engineers. Plus the cracker is probably sitting fat, and happy while hard working Americans are being taken advantage of.
http://www.informationweek.com/security/attacks/zappos-hack-exposes-passwords/232400441
http://www.zdnet.com/blog/identity/zappos-breach-highlights-fragile-password-personal-data-security/152
http://www.bizjournals.com/seattle/blog/techflash/2012/03/zappos-cto-hacking-detected-in-progress.html?page=all
http://www.bizjournals.com/portland/morning_call/2012/03/amazon-sued-over-zappos-hacking-incident.html
http://www.databreachlegalwatch.com/2012/01/if-the-shoe-fits-file-a-class-action-zappos-data-breach-leads-to-quick-lawsuit/
http://emergingbusinessadvocate.wordpress.com/2012/03/26/zappos-com-data-breach-was-detected-incident-highlights-difficulties-in-establishing-trust-in-ecommerce-industry/

Advertisements

10 thoughts on “Zappos Zapped

  1. First off, thanks for denoting this as something done by crackers, not hackers.

    Interesting that people are angry at Zappos for this. If a bank is robbed, I don’t believe the custom is to sue the bank. Most people understand that while you can try to stop this kind of thing from happening (and complete lack of defense could be a problem) the victim is not to blame for a crime. I wonder why computer crimes are different.

    • I actually disagree. I think that the customers have full rights to be angry. There is a big difference between stealing personal information and sealing money. When a bank gets robbed, insurance companies cover the losses but when you SSN gets compromised there is no amount of insurance that will help.

      • I agree with you except that in this case no SSNs or full credit card numbers were stolen and the information that was stolen(exceptions being the passwords and last four digits of CCN) could have been obtained easily not to mention legally. Just curious if knowing that you would agree with suing Zappos or Amazon?

    • First off, I actually did that to make you happy…just kidding.

      I think that in this instance people over-reacting to the incident and some probably just wanted money. Since it was a cyber crime they might have thought they stood a good chance of getting it but what many do not understand is that the US does actually understand cyber crimes and has come a long way in trying these kinds of cases so it is not easy money as these people probably thought it would be.

  2. Amazon/Zappos made the right decision to inform their users when they were attacked because I’m sure their are several companies that would try to cover this up. Many customers do not understand that no matter how much security you put on a system a determined cracker/hacker will still be able to get into it if they really want to. I don’t think that people should be suing Amazon because 1. They can’t prevent everything, 2. Not all of the data was stolen, 3. Amazon did their best to protect their users after the incident.

  3. Was there any information on what methods were used or vulnerabilities exploited in order to gain access? Amazon should really prioritize security, due to their history with HTML exploits that would allow you buy any product for how ever much you see fit you think they would have learned their lesson.

    • I agree as you know I’m doing my project on cross-site scripting and Amazon actually was cited as an example of a company that has been exploited by cross-site scripting. However, Zappos did not say anything except the attack occurred through their servers in Kentucky, and it was there that their internal systems were accessed.

  4. This should be an interesting case that may even amend the previous precedent set by the Hannaford verdict. Should companies be held liable for a loss of any amount of information whether full or fractional? Or should they only be held liable for a loss of a full string of information, unfragmented? With this case in particular, I would have to side with the latter. The fact that they stopped the attack, and in turn fragmented the information that the attackers gathered, is really the pivoting factor in my mind.

    • I’m not sure anything will change regarding the Hannaford verdict but it would be interesting because ssc1344 brings up an interesting point regarding banks. I think though that right now we have enough sense to say that as long as companies keep credit card numbers and social security numbers safe then suing a company in this case would go against most individuals creeds.

  5. Strange that people would try and sue Zappos. If any money was actually stolen wouldn’t Zappos just reimburse them. Also, thanks for saying crackers and not hackers.

Comments are closed.