Zappos – New Lessons but The Song Remains the Same

Posted by Ulf Mattsson, CTO on January 17, 2012

Last week a Zappos employee on their security team who protects customer PCI data arrived home and thought their job was done. However they forgot that customer PII data is also attractive to hackers and voila Zappos is now painted with the same humiliating brush that Sony, Nintendo, Stratfor, AT&T, and others have been painted with.
The hackers seemed to have gotten only the last 4 digits of the credit card numbers – so lets assume they were PCI compliant – job done. But this is how hackers work – you lock down something (credit cards for PCI) and they go after the next easy target … PII data! This is a warning for other merchants to choose to focus on only PCI (by encrypting or tokenizing their credit cards – because they have to) and either ignore or only have access control for PII data like what was stolen. When are people going to realize that access control is not good enough – you have to get down to business and protect the actual data?

There is an interesting trend with hacks of this type – the burden gets put on the customer! Customers should tighten up their passwords – they say. This is pushing the problem to your most important asset – your customer! It’s the customer who must wear security armor before shopping at the merchant. Effectively saying – ‘Don’t come into my store unless you have secured passwords and wear a bullet proof vest’. Does this sound like good way to do business?
What lessons can we learn from the Zappos experience?

• Focusing on passwords is not enough. Don’t burden your customers with frequent changes to their passwords. And worse frequent internal changes to access control passwords … a dishonest employee can share a password with … anyone! If passwords are your strategy for protecting the crown jewels of your company (PCI, PII, PHI data), you should be job hunting.

• The most reliable way of protecting PCI, PII or PHI data is to tokenize all of it. Tokenizing reduces the probability of this type of hack by more than 99%. No matter how long your passwords are, they are easily copied and emailed to bad guys by dishonest or disgruntled employees. Don’t give them the access in the first place, but use a system like Protegrity Tokenization to remove the temptation or even the possibility of committing the sin in the first place.

Posted in: Breaches, Data Security, PCI DSS, PII, Security Outlook

← Previous
Stratfor gets an “Anonymous” Christmas PresentNext →
When is VeriSign going to learn about Tokenization?