Zappos Breach: When Good Data Security Wasn't Good Enough

  • Recent breaches at Epsilon and Citibank are evidence that criminals are not just going after financial information anymore; they are increasingly profiting from stealing all kinds of customer data, especially email addresses. By accessing personally identifiable information (PII) such as email addresses or social security numbers, thieves can sell the information on the black market or move forward with highly lucrative phishing or other scams on their own. In fact, according to analyst firm Frost and Sullivan, the global black market for email addresses and national ID numbers is now worth about $5 billion.

    October 5

The Zappos Retail Inc. data breach, wherein thieves stole partial credit-card numbers from the shoe-marketing giant, may demonstrate that merchants have taken key steps to prevent the theft of full account numbers.

The bad news for merchants is the growing awareness that scrupulously following the Payment Card Industry Data Security Standard guidelines no longer is enough to protect against hackers seeking other types of stored customer information useful for perpetrating fraud.

"The target for hackers is expanding," says Todd Thiemann, senior director for product marketing at Vormetric Inc., a provider of data-encryption services for merchants complying with the PCI standards. "It's not just card data hackers are after anymore."

Hackers are also after email addresses, phone numbers and other information they can use to facilitate fraud, he says.

In a departure from some other high-profile data breaches in recent years, this time thieves stole only the last four digits of consumers' credit card numbers, Zappos told some 24 million customers in a Jan. 15 email. Zappos, an Amazon Inc. unit, is one of the world's largest online footwear and accessories sellers.

An unauthorized party may have obtained "one or more" elements of customers' personal data, including names, email addresses, billing and shipping addresses and phone numbers, along with the last four digits of credit card numbers, Zappos said in its email.

The Zappos breach has some similarities to an incident at email marketing company Alliance Data Systems Corp.'s Epsilon unit in March, in which customers' emails and other data were exposed, raising the threat of identity fraud and phishing scams.

Although details are scant and Zappos executives were not available for comment, security experts say it appears that Zappos was in compliance with PCI standards, which require companies handling payment card data to encrypt full credit card numbers or avoid storing the entire number in case of unauthorized data exposure.

"This incident shows that merchants are definitely getting better about protecting card data," says Jose Diaz, director of technical and strategic business development for Weston, Fla.-based Thales e-security, which provides encryption technology. "It is a sign of real progress for PCI adoption."

But merchants now face the escalating risk of other types of consumer data they may leave exposed.

Zappos urged its customers to create new account passwords, and warned them to beware of e-mail or telephone scams that might attempt to use data obtained in the breach to extract further data they could harness for fraudulent purposes.

"The Zappos incident shows that companies really need to consider encrypting all types of customer data, not just payment card data, because of the growing number of data breaches and overall risk unencrypted data poses," Thiemann says.

Once companies have invested in the infrastructure to enable advanced data encryption, the investment to expand that technology to other data is relatively affordable, Diaz says.

Such an expansion "may be what companies that deal with a lot of personal customer data may need to do," he says.

So far, PCI standards require no encryption of broad types of customer data, including e-mail and shipping addresses and phone numbers, Diaz says. But for merchants that want to fully protect data and avoid costly problems, "encrypting all types of consumer data is a good practice," he says.

For reprint and licensing requests for this article, click here.
Bank technology Consumer banking
MORE FROM AMERICAN BANKER