On Sunday, Zappos CEO Tony Hsieh acknowledged that his company – a subsidiary of Amazon – had been hit by hackers, who managed to gain access to personal records for approximately 24 million shoppers. "We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," Hseih wrote.
He stressed that Zappos was cooperating with law enforcement; exact details on the nature of the breach have not yet been disclosed.
So what have we learned from the Zappos fiasco? Well, for one thing, we're reminded yet again that even big companies are vulnerable to attacks. "It’s disturbing," tech analyst – and recent online fraud victim – Barbara Scott told the New York Times today. "Companies have to do a better job protecting our privacy. You would think companies like eBay and Amazon have the financial backing and wherewithal to take the proper security measures."
Of course, as Scott hints, Zappos isn't the only major company to be hit by hackers – only the most recent. And with e-commerce occupying an ever-larger part of our daily lives, it's safe to say that we'll see at least a few more high-profile hacks in coming months. Which brings us to our second question: How did Zappos handle the breach?
Actually, pretty handily, according to most analysts. Over at Information Week, Matthew J. Schwartz runs down the eight lessons learned from the Zappos breach, including the importance of a detailed response plan. Schwartz quotes Tomer Teller, a security researcher at Check Point Software Technologies, who says Zappos "should be commended for alerting their customers in a timely fashion."
Not that everyone is completely enamored with the reaction from Team Zappos. "Disappointingly, there is no mention of the security breach on the front page of the Zappos website – one platform you would imagine they would use to inform their customers that there was a security problem of which they should be made aware," writes Graham Cluley, an analyst at Sophos.
As for lessons, there are plenty to be learned, but perhaps chief among them is this: Change your passwords. A lot. "Typically people use one password to get into a number of systems," notes ABC analyst Brad Garrett. "And so as a result if you have someone’s password, you could easily compromise other accounts they have at other locations."