So, I went to Zappos.com for the first time today. I thought I would see what they had to say about this weekend’s announcement that just about everyone who shopped there has had their information stolen (well, 24 million people, which may or may not be “everyone” who shopped there, but man, that’s a lot of people).
What did I find? Nothing, nada, zilch, zip. Not a single mention could I find. I even used their search function and typed in “data breach”, which resulted in the site showing me a watch for $90.
I checked out their “blogs” section thinking that maybe they’d put something up there… nope, just the announcement of the winner of the “Ultimate Tee Shirt Design Contest.”
I heard from media reports that all affected accounts would need a new password, so I clicked on “new password” – no mention of the breach there either.
Here’s a quote from that section:
“Zappos.com servers are protected by secure firewalls—communication management computers specially designed to keep information secure and inaccessible by other Internet users. So you're absolutely safe while you shop.”
So, if I didn't watch the news or read the Internet, would I know?
But wait just one minute. According to a Fox news account from two days ago, there was a posting that said “security email” – it’s right here: http://blogs.zappos.com/securityemail And in that email was the announcement that the customers would start getting an e-mail in a couple of hours.
And in that posting there was a link to this: http://www.zappos.com/passwordchange
Look, I’m no expert computer designer, but I’m not a neophyte either… I simply could not find any way to access those pages. If it’s there, it certainly not prominent. I challenge someone, anyone, to find it from their homepage.
I have never shopped at Zappos, so I would not expect an email notification from them. In the email to their employees dated Jan 15th they inform them that “in the next hour or so we will begin the process of notifying the 24 million people involved…”
My wife shops there, a lot it appears, even has a “zapp app”… but lo and behold…no email… nothing, nada, zilch, zippo… OK, 24 million people is a lot to email, well, not according to certain Spam operators...just maybe 48 hours is not enough time. Since she heard about it on the news she decided that she better take action.
My wife used her fancy-dancy "zapp app" and clicked "change password" - she was brought to a page that listed Ugg boots for sale... She eventually went to the Zappo site and tried to log in with her old credentials...
Here’s the message my wife got when she tried to log in:
We apologize for the inconvenience however a recent security update has resulted in the need for you to reset your password. By resetting your password, you'll have a more secure experience on our website.
“…a recent security update…”, that’s how it’s being phrased… lovely. I think it’s only fair that you prominently post relevant, important, accurate information on your home page. Sure, it’s embarrassing when something like this happens, but you can’t hide from it.
According to a simple Google search, there are a lot of media outlets covering this story. The media is reporting all over the place that it was a “cyber hacking incident” and not a “mistake” or a “lost piece of equipment.”
But what if you don’t consume news like I do, or preferred to watch the Packer’s game on Sunday afternoon (what was THAT all about – 15-1-and done?)
If you didn't read the news about this incident and relied on Zappos to provide you with the relevant information you would be told that a "recent security update" requires you to use a new password. No worries my friend - remember, at Zappos you can shop with confidence. They have really cool firewalls...
So, what is it? Were the servers in Kentucky hacked into by criminals? If it's my information involved, that's a WHOLE different story than a "recent security update."
Lots of people use the same email address and password at several different retail outfits. Right now there is someone, or someone(s), with my wife's email address and password for Zappos. How hard would it be to figure out that maybe she shops elsewhere with the same info - oh, and at that other site, she has her credit card information saved there to "make the shopping experience that much faster..."
Incidents like this are going to happen, but to keep the integrity of the online commerical world intact, they have to be handled properly.
Chaos reigns in the early moments of a data breach. Getting it right requires ADVANCE preparation because YES, it can happen to you. Do you think they had a "data breach response policy manual?"
PS - how about a WISP? I'll be curious to see how our AG handles this one.