Zappos' failure to prevent a hacker from stealing the personal data of 24 million customers of the online shoe store has left the victims open to cyber-attacks on several fronts, experts say.
Zappos, which is owned by Amazon.com, reported the hack over the weekend, notifying customers via e-mail that a cyber-criminal had stolen names, e-mail addresses, billing and shipping addresses, phone numbers, scrambled passwords and the last four digits of credit card numbers. Chief Executive Tony Hsieh said in the message that a hacker had penetrated the company's internal network and computer systems through a server in Kentucky. No other details were released.
To mitigate the damage to customers, Zappos reset all passwords and asked users to create new ones. If the same password is used on other web sites, then it should also be changed, the company recommended.
While Zappos appeared to have prevented the theft of credit card numbers, experts warned Tuesday that customers were far from safe. Having passwords and identifying information makes it possible for criminals to try to hack other web services used by Zappos customers, such as Amazon.com or EBay.
In addition, fraudsters will likely use the personal information to send phishing e-mails purporting to come from a legitimate business. "Think about it," Fred H. Cate, a professor and cyber-security expert at Indiana University, said in a statement. "If you get an e-mail from a company that includes your correct name and contact information and refers to the last four digits of your credit card number, wouldn't you think it is real?"
In many states, criminals can use the stolen names, addresses and phone numbers to get property tax records, marriage licenses and other publicly available information, Cate said. Such information can be very helpful in committing frauds in another person's name or accessing password-protected sites by using the extra information to answer password-reset questions.
Stephen B. Wicker, professor of computer engineering and a privacy expert at Cornell University, said the break-in is a reminder of the vulnerability of large customer databases and of how security is "an ongoing process that must be intrinsic to the design and maintenance of an Internet presence."
“Zappos’ response is admirable for its forthrightness and immediacy, but this is a reminder of the risk run when online service providers maintain databases of user data," Wicker said in a statement. "This is a practice that many, many Web site and service providers engage in for convenience and, in some cases, for profit."
Despite Zappos' quick notification to customers, the online retailer is unlikely to prevent lawsuits, according to a commentary from the law firm McDonald Hopkins, which advises businesses on data privacy in a half dozen U.S. cities. "Zappos' notification is an attempt to mitigate damages arising out of this data breach and any direct loss to its customers, which could, and most likely will, result in litigation against Zappos."