Zappos is emailing customers to tell them that information such as names, email addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, as well as encrypted versions of account passwords might have been compromised in the breach. Zappos reset all passwords to prevent further unauthorized access. It also claimed that full credit card numbers and other payment information (which is stored in a separate database), was unaffected and not accessed.
Zappos' discounting site 6PM.com was also hacked when attackers broke into a Kentucky data center. The same types of information were compromised in that attack and the site alerted its users.
Zappos is also turning off its customer service telephone lines so customers will have to email any questions instead. What underscores the serious nature of that step is the lengths to which the company has gone at times to satisfy customers, including free returns with no questions asked.
Even if no full credit card numbers were stolen, the amount of information that may have been stolen is significant. Knowing such information as a name, address, phone, and just the last four numbers of credit cards (often used by companies to verify identity over the phone) could be enough for criminals to steal identities.
While this is bad news for both the business and millions of customers, it is potentially a black eye as well for Amazon.com (AMZN), which owns Zappos. CBS MoneyWatch emailed both companies and is waiting for the answers to a number of questions, including the following
-- When exactly did Zappos learn about the attack and data loss?
-- Was data on all 24 million customer accounts taken, or is that a precaution and does Zappos not know exactly how much was obtained?
-- When did Zappos inform Amazon about the problem?
-- To what extent do Zappos and Amazon share computer and network systems?
-- Was the Kentucky data center owned and operated by Amazon, or was it a third party?
-- Is Amazon currently reviewing its own security procedures and strategy?
-- Is Amazon reviewing the security procedures and strategy of other companies it has acquired?
