Posted January 16, 2012 8:36 am by with 21 comments

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookBuffer this page

If there is one organization that is usually held up as the poster child for how you should run an online company (or any compnay at all for that matter) it is Zappos. CEO Tony Hsieh gets interviewed it seems like on a daily basis to discuss the best practices that the online shoe and clothing selling machine uses to run its operation. Not the least of which is their laser beam focus on customer service as noted in their logo on the web site.

Well, as is usually the case in business and in life, it looks easy when everything is flying along just fine but when something goes terribly wrong that is the real measure of a company or organization. Today it is Zappos turn to be tested. The company’s systems were compromised over the weekend and according to TechCrunch

It appears that Zappos was the victim of a cyber attack today from a hacker who gained access to the company’s internal network through the company’s servers in Kentucky. While specifics of the attack were not revealed, Zappos says that credit card and payments data were not accessed or affected by the criminal.

So now the online world sits back and watches to see just how this model organization handles this incident that can certainly dent the supposed ironclad fortress that is Zappos. Of course, if you are held up as an example that is also likely to paint a rather large bullseye on your operation for someone who simply likes to tear people down so maybe that’s all this is. Or is it? Whatever the reason or the implications moving forward Zappos has put itself into gear to put Humpty Dumpty together again.

CEO Tony Hsieh writes to employees, The most important focus for us right now is the safety and security of our customers’ information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We’ve already reset and expired their existing passwords.)

So far so good. Informing employees (on a holiday weekend no less) and telling them exactly what the mission is in this instance: protect the customer.

Zappos has made an “all hands” call and has worked to get information to their customers. The post continues

Affected Zappos users simply need to reset their passwords and create a new password, Hsieh explains. In Zappos’ signature quality customer service style, the company has already created a detailed page for any affected users to find out more information. And Hsieh says that in order to service as many customer inquiries as possible, all employees at Zappos’ headquarters, regardless of department, will be asked to help with assisting customers who have questions about the attack.

From the email sent to affected users: We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

The New York Times points out an interesting twist in all of this.

Mr. Hsieh said the company made the “hard decision” to temporarily shut off its phones, directing customers to correspond by e-mail because the phone systems “simply aren’t capable” of handling the expected volume of inquiries.

“We’ve spent over 12 years building our reputation, brand, and trust with our customers,” Mr. Hsieh said. “It’s painful to see us take so many steps back due to a single incident.”

Painful indeed. This move to shut down the phones makes technological sense (I guess since I am no expert in that stuff) but it certainly will look bad to many if they cannot simply get a human being on the phone and talk about what they need to do. This seems to be a bit of a weak spot in what appears to be a rather strong handling of a messy situation.

But let’s not be too quick to hand out the reputation accolades. I went to their web site and found no obvious mention of the problem. They are probably just as interested in not scaring off new customers as they are in helping existing ones. There is no blog post but there is a highlighted “Create a New Password” area in the main navigation. not exactly helpful.

And when you call the customer support line which they make look like it is live under the help section of the site you get a recorded message apologizing for no phone support but please e-mail the company. It’s kind of approach that says “We have a problem but let’s not get too crazy about saying exactly what it is”.

There are no simple solutions in reputation threatening situations like this one. How do you think Zappos is doing so far?

  • Lori

    They ought to be warning consumers to check their credit card bills for fraudulent charges. Yes, technically perhaps credit card information was not breached, but if you stored your credit card number in your Zappos account, the thieves could order merchandise on your account to be shipped to a different address than yours.

    We noticed a fraudulent $1200 pending Zappos charge on our credit card account right before Christmas. We spotted it right away because we check our bill online frequently. I expect there will be a lot more to this story as consumers get their January credit card bills and notice Zappos charges they didn’t make.

    • So how do you feel about Zappos moving forward?

      • Lori

        Not good. I called them right after cancelling my credit card to see if they could cancel the pending order so the thieves wouldn’t profit. They said they were cancelling the charge, but it went through anyway. So I had to dispute it with my credit card company and ended up getting the charge removed after a few weeks.

        They never mentioned their security breech, apologized, or thanked me for notifying them so they could avoid the theft of goods.

        The thieves tested my Amazon account with the same credit card a few days later, but by then the card had been cancelled, and the charge was rejected by the credit card company without me having to take any action.

        My lesson learned is never to store your credit card with any online merchant. This will be problematic with Amazon’s One Click payment, but unless they provide an alternative, I won’t be doing business with them anymore, either.

        There are too many merchants online to do business with ones that aren’t consumer friendly.

        • Dee

          Your post makes no sense and is irrelevant. I have to call you out on this: The charge took a couple of weeks to be removed? So what, every business takes at least a week to credit back a card and longer for a cancelled card. What does this story even have to do with the Zappos online security breach? When you called they didn’t mention the security breach? Why would they, your call wasn’t about that.

    • Anne Marie

      I found two emails this morning: one from Zappos, I guess I am one of the 24 millions… and a fraud alert from American Express. I checked via a known valid number and it was a real alert. Four fraudulent attempts were made last night to use my Amex card, which had to be cancelled. This would have required the full number, not just the last four digits. Coincidence? Maybe but I do not have a good feeling about this.

      • Lori

        Yup, same thing that happened to me. Two fraudulent charges from Zappos, one from Amazon. In my case, my credit card number was on file with my Zappos and Amazon accounts, and the crooks just ordered merchandise through my account to be delivered to another address. When you keep your credit card on file, the crooks don’t need the full number as long as they have hacked in to the account.

        I was very satisfied with the way AMEX handled this issue. They sent me a new card overnight, and deleted the fraudulent charges very quickly.

        The lesson I’ve learned from this is never to store credit card information on online accounts. Amazon is going to have to change its policy on their One Click payment system, or I won’t be able to do business with them.

        • Anne Marie

          The attempted fraud last night was not on Zappos or Amazon. The crooks first tried the card with a $1 charge on a medical service company to see if it worked according to Amex, then tried three charges on the Walmart website. That means they had the entire number for the card.
          I do not know what made American Express suspicious but they did not process the charges and sent me a fraud alert.
          I am supposed to get a new card tomorrow and I share your opinion that no website should be keeping a record of customers’ cards beyond the transaction at hand.
          I sincerely hope that I am an isolated victim unrelated to this case but when I get the two emails back to back in my inbox, it is hard not to wonder.

  • They’ve also cut off international access. This is what we get from Australia when we access the website at the moment:

    We are so sorry – we are currently not accepting international traffic. If you have any questions please email us at

    • Do you have concerns about Zappos moving forward based on this incident?

      • I think it will be a broader implication. Will people lose trust with using their cards online?

  • Zappos is the best of class in the business and as usual is doing a stellar job. The credit card companies will also protect you and this is where American Express excels vs the competition. I believe in the end this will enhance the reputation of Zappos, and Amazon, and not diminish.

    • Rockin Robin

      You people are morons! This crap happens all the time. Bank of America had had it happen to them. Are they suddenly doomed??? No… you retards!

      • Peter

        First of all, the name calling is totally unnecessary on victims of ID theft.

        Second, noone is defending Bank of America or Sony. Those companies deserved scorn for their mistakes and so does Zappos/ Amazon.

        My wife ordered ONE pair of shoes from Zappos, in 2009! Sure enough, after checking our SPAM filter, it turns out we’re on the list. They saved- and endangered- our data for TWO YEARS, without our knowledge or permission, even though we didn’t need them to have it because we were not regularly ordering from them. That makes them an ACCOMPLICE, not a victim.

        I agree that “this crap happens all the time”. But that’s exactly the problem! If you can’t defend the data, then you shouldn’t be keeping it. Period.

        I hope someone starts a class action lawsuit or something here because this needs to change.

        • Pete King

          Every business has to keep their business records for years. Especially if they are publicly traded (Zappos is owned by Amazon). Don’t be so naive Peter.

  • Debbie Langford

    Zappos NEVER notified me of a security breach. I heard about it on the news. After sending numerous emails the past three weeks, all of which have gone unanswered, I still have not been able to speak with anyone at Zappos.

    Yesterday, over $2,600 worth of merchandise was charged from an online website in DENMARK, and charged to my debit card. So I would say without a doubt, the hackers got our complete credit card information.

    FYI, there is a class action suit pending against Zappos and I have joined it. It remains to be seen whether or not they had proper security measures in place to protect customer information, but it has been proven without a doubt that they failed to notify people of the breach AND LIED about what information was stolen. This has caused me great financial and emotional distress since the fraudulent charges emptied my bank account and is causing legitimate payments to be returned NSF. I will NEVER buy another thing from Zappos and I hope every one of the 24 million customers involved sue the hell out of them.

  • JohnSmith


  • JohnSmith

    The link to tech crunch doesn’t seem to be working? Is their any problem with the given link?

  • sayakipli

    When we were asked to write a little story that included the 83 Inch Pedestal Poker Table with Dealer Spot, the first thing we thought about was Jordan’s graduation. College was about to be over and even though he was graduating with unbelievable grades, we knew the last four years were full of more play then work at his college dorm. So we got him four or five new suits he could wear in the new world to get that career job he had been working towards the last seven years.

  • sayakipli

    They are probably just as interested in

  • initial Q

    boster your profil with