Zappos.com has been hacked. The Amazon.com-owned retailer just told 24 million customers that their personal identifying information has been compromised.
At best that means every single member has to change his or her password. At worst, it means cyber criminals may have tapped into information like home addresses, phone numbers, the last four digits of credit card numbers and, of course, names.
"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation," said an e-mail that Tony Hsieh, Zappos CEO, sent to customers.
"For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password. We also recommend that you change your password on any other Web site where you use the same or a similar password."
Playing the Odds
Neil Roiter, research director at Corero, called the Zappos breach another reminder that cyber criminals continue to aggressively and successfully attack corporate networks, stealing customer information as well as sensitive business data . As he sees it, the breach is a clear message that organizations have to examine and shore up their network, application and data handling security in the face of sophisticated and relentless attackers.
"Although Zappos apparently took standard security measures to protect customers' credit card information and passwords, we can expect the attackers to use the stolen information -- names, e-mail addresses, billing and shipping information and the last four digits of credit cards -- to launch social engineering attacks, often called phishing attacks, to exploit Zappos customers," Roiter said.
If millions of customers receive a phishing e-mail with their billing address, phone number and the last four digits of their credit card number, he noted, only a small percentage have to take the bait to make for a very effective and profitable criminal phishing campaign.
Enterprises should alert employees to be wary of highly polished messages that appear to be genuine communications from online retailers and banks. Employees should be reminded, for example, that banks and reputable retailers will never ask you for your username, password or banking "site key." Employees should also be warned not to click on a hyperlink in an e-mail, and to be wary of links sent on social networks.
"There are literally millions of unique types of malicious software that can infect computers and, increasingly, smart phones and tablets. Consumers can easily become a victim of online fraud," Roiter said.
"On the business side, organizations should deploy defense in depth that includes effective inspection of inbound and outbound traffic for malware and suspicious activity, strong application security, antivirus on employee computers, and training and policies to minimize the risk that employees will fall victim to social engineering attacks that compromise the company."