Isaac Brekken for The New York TimesZappos.com’s chief executive, Tony Hsieh, did not say why the company’s data had been vulnerable.9:02 p.m. | Updated
Barbara Scott just hit the trifecta of computer security breaches.
Since the New Year, Ms. Scott has been a victim of three separate cyberattacks. Two weeks ago, the online auction site eBay said in an e-mail to her that there had been suspicious activity on her account. On Monday, she received an e-mail from Zappos and another from 6PM, two online shoe retailers owned by Amazon. Both messages alerted her that — once again — her information had been compromised.
“It’s disturbing,” said Ms. Scott, who works in San Diego as a director at Redemtech, a technology services business. “Companies have to do a better job protecting our privacy. You would think companies like eBay and Amazon have the financial backing and wherewithal to take the proper security measures.”
The breaches at Zappos and 6PM may have compromised account information for 24 million customers — the largest breach of an online retailer since a series of cyberattacks against Sony last year that compromised 100 million customer accounts. The attacks point to an unsettling new world in which even the supposed stalwarts of the Internet — Amazon, eBay and even the security giants paid to keep hackers at bay — cannot seem to keep personal information safe.
And when there is a security breach, the companies and computer security experts more often than not resort to telling their consumers that it is up to them to protect their data stored on the company’s servers.
Zappos’s chief executive, Tony Hsieh, said Sunday that customer names, encrypted passwords, phone numbers, e-mail and mailing addresses and the last four digits of their credit card numbers might have been stolen in the attack. But he noted that the company quickly reset all passwords and that a separate database containing critical credit card information had not been breached.
Mr. Hsieh— who wrote the book “Delivering Happiness” and regularly invites customers to tour Zappos’ facilities — provided no explanation about why the data was vulnerable. He directed customers to an e-mail address because its customer service lines “simply aren’t capable” of handling the number of expected customer inquiries.
That response angered Eric Seftel, a Zappos customer, who posted a reply to Zappos’ e-mail alert on The New York Times’s Bits blog: “That’s it? That’s how you respond to a security exposure that may require me to change my password on a large number of other sites to protect myself? That’s how little you think of your customers, just drop this glib little note and wash your hands of the whole affair? You have a legal and moral obligation to protect my information.”
In an e-mail to The New York Times on Monday, Mr. Hsieh said the company did have a security breach response plan in place before the attack but could not discuss the specifics or about how it was breached. “Our plan specifically includes not disclosing details of our security processes or procedures,” Mr. Hsieh said. “Just like you would not expect a casino to disclose when the security guards change shifts.”
The breaches at Amazon’s sites, combined with several recent cyberattacks, could threaten to shake consumer confidence online. Over the year-end holidays, hackers who said they were members of the group Anonymous attacked the Web site of Strategic Forecasting, a research firm that specializes in security and intelligence. They dumped personal and payment details for thousands of subscribers.
In a separate attack on India’s military and intelligence servers two weeks ago, a different group of hackers managed to find and post a segment of source code belonging to Symantec, the largest security software company.
“There are a lot of people that are going to seriously reconsider before they purchase anything else on the Internet,” Jerry Irvine, a member of the National Cyber Security Task Force, said in an interview on Monday.
The White House is working on a plan to increase consumers’ confidence in the security of e-commerce sites. Its initiative, called the National Strategy for Trusted Identities in Cyberspace, works with major vendors — like banks, technology companies and cellphone service providers — to adopt higher standards for the way companies verify user identities and store personal data online.
But the program is less than a year old and, Mr. Irvine says, intended to be only one step in a larger process to protect customers’ identities and personal information on the Web. “These breaches are going to be an education for people to take a more layered approach to their security,” he said.
With companies unable to provide a good solution, many companies and security experts throw the burden back to consumers.
“It is always a good practice to use different passwords on different Web sites,” Mr. Hsieh advised. Mr. Irvine recommends that consumers protect their personal data more vigilantly. He suggests not using e-mail addresses as user names, creating a unique password for every Web site and refraining from saving personal and payment details online.
“That is the only way you’re going to be secure,” Mr. Irvine said.
Ms. Scott said she already used complex alphanumeric passwords and updated them on a regular basis. “Beyond that, I guess I have to be more conscious about who I choose to do business with online,” she said. “How hard can it be to find a safe place online to buy shoes?”