Concerns over online privacy are also escalating, with millions of customer records exposed in breaches at Sony, Epsilon, Fox, NASA, PBS and the US Internal Revenue Service.
The Zappos breach comes as online shopping is gaining in popularity, driven by the proliferation of smartphones and other mobile devices and supported by trust built up over the past 10 years.
The online retailer was forced to issue a warning to customers that hackers had possibly gained access to personal data, including names, addresses, e-mail addresses, phone numbers and the last four digits of their credit card numbers.
Zappos is concerned about the damage the breach will do to its brand, although security experts say the retailer appears to have followed industry best practice by encrypting credit card data and storing it on a separate system, according to the Financial Times.
In a 2010 interview with Infosecurity, the retailer's information security officer, Saffet Ozdemir, underlined the importance of the PCI's segregation requirements. “Our perspective is systems that process, transmit, or store card holder information are segregated and separate from those that do not, such that we limit the scope of PCI, we limit the cost of compliance, and we also limit our potential for breach.” In hindsight, the practice seems to have saved Zappos from an even larger headache.
Safeguarding Customer Data
But given the fact that some data was protected, it is unclear why data security was not applied more thoroughly to protect other sensitive personal data, said Mark Bower, data protection expert at Voltage Security.
“Zappos published a commitment to customers to safeguard their data, but without taking the step to data-level security, it will always be at risk," he said.
Liz Fitzsimons, senior associate at international law firm Eversheds, said the impact of the data breach should be limited by its approach of holding only truncated credit card details and scrambled passwords.
The online retailer has also sought to limit the impact of the breach by requiring customers to reset passwords and urging them to be alert for suspicious activities following the incident.
Increasing Risk of Cybercrime
“The cyber attack on Zappos indicates the increasing threat criminals pose and the need for organizations to continually update, refresh and review their security arrangements,” said Fitzsimons.
This is required by data legislation which refers to the need to have regard to the state of technological development and its cost to ensure appropriate security applies, considering the type of data involved and the potential harm from security breaches, she said.
“Even though financial resources may be stretched, the regulators will expect security compliance to be continued and maintaining customer confidence and reputation is key in challenging trading conditions,” said Fitzsimons.
This story was first published by Computer Weekly