Zappos Explaining How They Got Zapped
"First, the bad news:"
[Don't you hate it when an email starts like that?]
"We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password)."
[Oh, that's good; you drew them a map, but you didn't color in every single segment. Perfect.]
"THE BETTER NEWS:
The database that stores your critical credit card and other payment data was NOT affected or accessed."
[Good to hear, I think, trying to remember back to the last time I ordered from Zappos, as I'm not a frequent purchaser from this site.]
And now the fun begins in earnest:
For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.
We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information."
[If I'm like most online consumers of information and commerce, that means I need to change passwords on perhaps an average of 40 sites. So much for doing my job today and seeing my family. Thanks, Zappos.]
Here is the easiest part of all of this:
"PLEASE CREATE A NEW PASSWORD:
Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there."
[No worries here; I still don't shop at TJ Maxx unless I pay with cash for my purchases after their breach years ago forced me to get a new bank credit card -- twice -- and to re-register the new cards wherever I had been using them. As much as I appreciate the service of the brand, I think I can safely say I won't be creating a new password on Zappos.]
And now here's the warm and fuzzy part:
"We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at email@example.com."
[No signature. Barely registered with me the sincerity of their concern. Did not make me want to keep buying.]
Judging Zappos' Approach
That's one consumer's reaction to the email that landed in my personal mailbox in response to the security breach at Zappos. I'm sure I'm not alone.
The coverage of the breach alternated between praising their transparency about this and their exposing as much as they could about what consumers should do to protect themselves and suggesting that they over-communicated and therefore could have created panic (from Ellen Messmer of IDG):
"Overall, the Zappos response strategy is "not a good idea," contends John D'Arcy, assistant professor of information technology at the University of Notre Dame. The Zappos decision to terminate customer password access creates a situation that makes it appear it's in a panic mode. "Maybe they went overboard." He says the motivation for the attack is probably to gain information to sell to competitors on the black market. However, phishing attacks to try and steal more customer information is also a possibility.
Other analysts generally praised the Zappos response. Gartner analyst John Pescatore, while noting he doesn't know if Zappos sufficiently protected its systems or not, said he finds the Zappos public response to be a good one so far, especially in terms of communicating publicly, adding "avoiding exposures of course is much better."
Some other security experts piled on, saying Zappos' security measures overall should have been stronger to withstand this type of attack and prevent this from occurring. Of course many of them offer security products that they were touting, so one must take their comments with a box of salt.
And some very interesting positioning was the very specific noting that Amazon, Zappos' parent company, does not share servers with Zappos and was not affected by this attack. Despite this, a lawsuit from a customer already has been filed in Kentucky against both Zappos and the much-deeper-pocketed Amazon parent and more may follow, although it's not clear that any of these will have any legal merit.
As a communications person, I typically err on the side of as much transparency as possible in the event of a crisis. But in this case, the tenor of the communication I received seemed like a purely perfunctory way of throwing all of the inconvenience and hassle of changing my passwords on me, without much of an apology or a personal communication from the CEO. And, of course, it was an attempt to deflect blame from the company if consumers like me did not take all of these precautions they recommended to fix the mess that occurred on their site.
It didn't make my day, or warm me to Zappos for future purchases. They will be in my own personal penalty box for a long time over this one.
What did you think? And did I get the "infrequent buyer" version of the apology letter that was more perfunctory? Was there a "We are so sorry!" email that went out to frequent purchasers that included a personal note from Tony?