Following Zappos' announcement that more than 24 million of its customer records may have been compromised as a result of a data breach, the online retailer and its parent company Amazon have been charged with violating the federal Fair Credit Reporting Act.
Zappos chief executive Tony Hsieh informed customers of the data breach last week in an open letter posted on the company website.
"We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, email address, billing and shipping addresses, phone number, the last four digits of your credit card and/or your cryptographically scrambled password," Hsieh explained.
As a precaution, administrators voided and reset all account passwords and directed customers to create new login credentials. Customers were also warned to reset their account information on any other site that was guarded by the leaked Zappos passwords. The apparent silver lining, however, was that the database which stored critical payment data was not affected or accessed in the breach.
Although the threat was localized to servers in a Kentucky facility, according to CIO Today, it is still unknown whether the breach was the result of IT employee negligence, zero-day vulnerabilities or something altogether separate.
But interestingly enough, according to CIO Today, Zappos' operations have routinely achieved compliance with the Payment Card Industry Data Security Standard (PCI DSS). This would suggest that all customer transactions were authenticated and encrypted using Secure Socket Layer protocols. However, industry experts are highlighting the often-overlooked distinction between compliance and comprehensive data security.
"The bottom line: PCI DSS compliance is only the first mandatory step in securing customers' credit cards and account information," Radware security director Ron Meyran told CIO Today. "Attackers are getting [more] sophisticated by the day."
This question of due diligence may soon take center stage as Zappos faces as class-action lawsuit representing millions of customers.
The lawsuit was filed in U.S. District Court in Louisville, Kentucky, just a day after Hsieh's announcement. The motion is being led by a Texas woman seeking damages for the potential personal and financial harm caused by Zappos' data breach.
According to the Associated Press (AP), plaintiff attorney Ben Barnow expressed his concern that the leaked customer credit card information could be sold to opportunistic cybercriminals.
"I think it's clear this type of information is for sale," he told the AP. "The risk is hanging out there."
To guard against such incidents in the future, a number of Internet security experts are taking a closer look at password management. Even though the majority of reputable online retailers encrypt and hash their customer passwords, advanced hacking tools have emerged to breach even these defenses in some cases.
"When the Zappos team forced their users to reset their passwords, they enabled their users to provide a minimum of 8-character passwords, including one upper and lowercase letter and one number or special character. So users' pass could look like 'Zappos12,' and here lies a bigger problem," explained Kaspersky Lab expert Kurt Baumgartner. "With 'rainbow tables' that have been circulating as a part of both commercial products and open source projects discussed at major security conferences for year, this weak password scheme could be quickly cracked offline."
According to PC Magazine, this news should force consumers and corporate network managers to take a closer look at their password practices and policies. Aside from creating combinations of adequate strength, users must update their passwords frequently and resist temptation to recycle them across multiple accounts.
Data Security News from SimplySecurity.com by Trend Micro