Reputation Watch: Zappos Security Breach Tests Internet Giant
If there is one organization that is usually held up as the poster child for how you should run an online company (or any compnay at all for that matter) it is Zappos. CEO Tony Hsieh gets interviewed it seems like on a daily basis to discuss the best practices that the online shoe and clothing selling machine uses to run its operation. Not the least of which is their laser beam focus on customer service as noted in their logo on the web site.
Well, as is usually the case in business and in life, it looks easy when everything is flying along just fine but when something goes terribly wrong that is the real measure of a company or organization. Today it is Zappos turn to be tested. The company’s systems were compromised over the weekend and according to TechCrunch
It appears that Zappos was the victim of a cyber attack today from a hacker who gained access to the company’s internal network through the company’s servers in Kentucky. While specifics of the attack were not revealed, Zappos says that credit card and payments data were not accessed or affected by the criminal.
So now the online world sits back and watches to see just how this model organization handles this incident that can certainly dent the supposed ironclad fortress that is Zappos. Of course, if you are held up as an example that is also likely to paint a rather large bullseye on your operation for someone who simply likes to tear people down so maybe that’s all this is. Or is it? Whatever the reason or the implications moving forward Zappos has put itself into gear to put Humpty Dumpty together again.
CEO Tony Hsieh writes to employees, The most important focus for us right now is the safety and security of our customers’ information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We’ve already reset and expired their existing passwords.)
So far so good. Informing employees (on a holiday weekend no less) and telling them exactly what the mission is in this instance: protect the customer.
Zappos has made an “all hands” call and has worked to get information to their customers. The post continues
Affected Zappos users simply need to reset their passwords and create a new password, Hsieh explains. In Zappos’ signature quality customer service style, the company has already created a detailed page for any affected users to find out more information. And Hsieh says that in order to service as many customer inquiries as possible, all employees at Zappos’ headquarters, regardless of department, will be asked to help with assisting customers who have questions about the attack.
From the email sent to affected users: We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
The New York Times points out an interesting twist in all of this.
Mr. Hsieh said the company made the “hard decision” to temporarily shut off its phones, directing customers to correspond by e-mail because the phone systems “simply aren’t capable” of handling the expected volume of inquiries.
“We’ve spent over 12 years building our reputation, brand, and trust with our customers,” Mr. Hsieh said. “It’s painful to see us take so many steps back due to a single incident.”
Painful indeed. This move to shut down the phones makes technological sense (I guess since I am no expert in that stuff) but it certainly will look bad to many if they cannot simply get a human being on the phone and talk about what they need to do. This seems to be a bit of a weak spot in what appears to be a rather strong handling of a messy situation.
But let’s not be too quick to hand out the reputation accolades. I went to their web site and found no obvious mention of the problem. They are probably just as interested in not scaring off new customers as they are in helping existing ones. There is no blog post but there is a highlighted “Create a New Password” area in the main navigation. not exactly helpful.
And when you call the customer support line which they make look like it is live under the help section of the site you get a recorded message apologizing for no phone support but please e-mail the company. It’s kind of approach that says “We have a problem but let’s not get too crazy about saying exactly what it is”.
There are no simple solutions in reputation threatening situations like this one. How do you think Zappos is doing so far?