Zappos.com: Lessons of a Data Breach
On Jan. 15, hackers breached the internal network of Zappos.com and made off with private account information belonging to the online shoe retailer’s 24 million customers. Less than 48 hours later, the first lawsuit was filed: a class action suit seeking compensation from Zappos (and its parent company, Amazon) for damages to the affected customers.
The incident, which follows in the wake of other recent high-profile data breaches at Sony and NASDAQ, highlights the growing threat of cyber crime and serves as a cautionary tale for other businesses with data security exposures. Regardless of whether the class action lawsuit is ultimately successful, Zappos faces months (or years) of bad press and significant legal costs, as well as untold damage to its reputation.
In an email to employees the day after the breach, Zappos CEO Tony Hsieh wrote, “We’ve spent over 12 years building our reputation, brand
, and trust with our customers. It’s painful to see us take so many steps back due to a single incident.”
Of course, as bad as the fallout from the incident has been, it could have been even worse had the company been more lax with its internal data security controls. Although hackers gained access to the Zappos customer database, they weren’t able to get their hands on the holy grail of consumer data—credit card numbers—because Zappos wisely stored credit card information on a different server than the one housing the rest of the customer data. Had the hackers accessed the credit card information, Zappos would be facing a much greater, and much more costly, public relations nightmare.
Overall, experts are divided on the effectiveness of Zappos’ actions in the immediate aftermath of the data breach. The company has garnered praise for quickly notifying customers of the breach via email, but the decision to shut down its customer service phone center and block non-U.S. customers from accessing the Zappos.com website has drawn criticism.
Ultimately, there is no perfect crisis management blueprint. That’s why it is critical that you take steps to protect your assets and reputation before a data breach incident occurs. Perform a comprehensive review of your cyber security protocols, and make sure you have adequate insurance protection. Keep in mind that most CGL policies don’t cover data breaches, so you will need to review your Cyber Liability policy limits.