All projects: Gel, Jobs, Good Todo, Games, Uncle Mark, Blog, Bit Literacy
Zappos doesn't mention its security breach
Last year Netflix got in a heap of trouble by botching its communications with customers around their price increase. Much press was devoted to discussing how companies should be upfront and clear with customers about what happened.
Now Zappos is facing its own crisis: a site-wide security breach that compromised the passwords of all its customers. What has Zappos learned from the Netflix debacle?
Today, Tuesday January 17, is the first business day after the breach. Here is the Zappos homepage, with not a single mention of the security breach:
And here is the blog. Apparently the "ultimate t-shirt design contest" is pretty important because it gets top billing, while the security breach doesn't get a single mention.
No mention in the customer service center, no mention on the "Create a New Password" page, no mention anywhere I can find on the site.
Is it just me, or shouldn't a major breach of customer information be mentioned somewhere on the site?
Update: On Twitter, Zappos_Service responds, "An e-mail was sent to all customers. Here is the link to what our CEO sent all Zappos employees: blogs.zappos.com/securityemail"
My response: "thanks. how can i get to that page from the zappos homepage or your blog (where the t-shirt design contest is now shown)?"
Zappos responded: "Searching 'security' on our website will bring you to a page with the link to that page."
I still find it strange. Yes, an email explaining the situation went out to customers. And a blog post went up for employees. But what if someone wasn't a customer; was there any way for them to find out what happened? (Other than somehow knowing to type "security" in the search form?)
This isn't an insignificant question. As more of our information gets posted to the cloud, these security breaches will become more common - and there should be some better-defined practices for companies to notify customers about what happened. Posting things clearly on the homepage and/or a blog page would be a good place to start.
I thought the same exact thing. I also clicked on the 'Blogs' link to no avail lol
Except that they sent an email to all customers explaining the breech, apologizing, and letting customers know that they reset ALL customer passwords.
There's a "Create a New Password" link in the upper right. Registered Zappos customers received an email indicating they needed to create a new password. Also, if you attempted to login without having created a new password yet, you were directed to do so. All that said, yes, it would probably have been wise to make the messaging provided in the email readily accessible from the homepage.
Also, they were clear that passwords were NOT compromised.
Yes, passwords were compromised. They said that credit card numbers weren't.
They said that *scrambled* passwords were compromised. So, not actual paswords, just encrypted passwords. Unless their encryption mechanism was super weak...
Most companies still think it isn't Internet Era and nobody will know anything until it strikes printed newspapers headlines.
Agreed, Mark. The site should answer users' questions. If it's the #1 question in most people's mind when they come to the site today, it should be in your face.
It often feels like companies think their home page is locked in stone. And if you have a blog, there's *no* excuse for this not being the lead post.
I totally agree, Mark. I thought Zappos handled the entire situation poorly. When I got my e-mail, it was unclear whether or not their database was targeted or if an individual targeted my personal account. I'm surprised that, from an experience standpoint, transparency wasn't a high priority for Zappos.
I instinctively checked their site and blog to see if there was anything about it but couldn't find anything, either. I couldn't confirm that the security breach extended past my account until talking to coworkers later in the day. I just find their lack of transparency frustrating because it reeks of a cover-up. Zappos was and still is one of my favorite e-commerce sites but the way they handled this really tarnishes my opinion of them.
Mara & Debbie - Zappos DIDN'T send emails to all registered customers, another black mark in how they handled this. My wife and I each have Zappos accounts and neither of us got an email about this. (And, yes, we checked our spam folders.)
Abe - Encrypted passwords can be broken. All it takes is time.
I also have a Zappos account and never received an e-mail. When I tried to log on, I arrived at a page which stated, "We apologize for the inconvenience however a recent security update has resulted in the need for you to reset your password." That's implicitly true I suppose, but it said nothing about a security breach.
It went on to say that they've sent me an e-mail. Not true. I clicked the "resend" button. That resulted in an actual e-mail. Said e-mail states, "You requested that your Zappos.com password be reset." Again, not quite true.
It all feels like they're saying, "if we pretend there's no problem, then there's not problem."
I first dealt with Zappos Jan 25 and presume no problem with my password, credit card info, etc. since this was after the breach I didn't know about. My buying experience was first rate but now my opinion has dropped upon learning of Zappos' treatment of the breach.