Thiemann said he got very similar email data-breach notifications last Sunday from both Zappos and 6PM, but he hasn't yet changed passwords. The benefit of a password, he says, is that you don't have to re-enter customer information if the password is used. He says he doesn't want credit-card information stored by online stores for reuse and he's uncertain what Zappos and 6PM do in that regard. However overall, he says Zappos and 6PM are doing a good job getting information out about the data breach.
The Zappos 800-number service has a recording on it today saying service representatives aren't available to speak on the phone and encourages anyone phoning to send an inquiry to an email address. Redeploying the Zappos employees this way "doesn't make sense," Notre Dame assistant professor D'Arcy says. "It leads me to believe they weren't prepared for an event like this." However, he adds that Zappos is doing a good job of getting information out to the public, which benefits customers and usually brings favorable reactions.
The cost of handling the data breach will probably be expensive for Zappos. One estimate of data breach costs come from Ponemon Institute, whose most recent annual survey and analysis of data breach incidents put the cost of a data breach at an average $214 per compromised record. If 24 million customer records are really at stake, that in theory would put Zappos in the $5 billion range, which sounds like an impossible number. D'Arcy says he finds the Ponemon per-record cost estimate way too high, and stock investors have tended to accept data-breach costs as part of doing business.
Some online comments at the Zappos site suggest a mixed reaction from customers on how Zappos in handling the data-breach incident so far.
"Zappos site was hacked, why not tell everyone that instead of trying to hide it under 'security updates,' I would like my accounts to be removed," wrote one individual. "Lawyers get ready." However, other individuals online expressed confidence in the remediation approach Zappos is taking, saying, "... good job. Now I'm ready to shop again."
Zappos has indicated it may make additional information available about the cyberattack on its website.
Sign up for Computerworld eNewsletters.