Zappo’s Security Breach

Zappos’ Security Breach

Assessing the Zappos’ Security Breach:

Lessons Learned for Making eCommerce More Secure

In the first month of this year, 2012, online shoe retailer Zappos’ now a business unit of Amazon, experienced a security breach that was initiated from a distribution center located in Kentucky. The nature of the breach shows how vulnerable the retailer’s systems are to employees who choose to break in and attempt successfully to gain access to customer records. It also showed how vulnerable the entire Amazon.com e-commerce system is attacks originating from internal servers. The hacker, an employee, gained access to over 24 million Amazon.com and Zappos’ customer records. Despite having sophisticated 128-bit encryption on these systems, the hacker was able to bypass internal systems with knowledge of how the distribution center staff had constructed firewalls and password conventions. The last four digits of the customers’ credit cards were taken, their names, addresses, complete customer histories and approval credit limits of they had obtained Amazon.com credit cards (Letzing, 2012). The security systems had not been upgraded since 2010 when Zappos had been purchased for $800 million by Amazon.com and made a core part of the overall company network (Hsieh, 2010). As Zappos’ had superior technologies for logistics planning and execution, supply chain planning and execution, and the ability to orchestrate fulfillment with 3rd party logistics providers, Jeff Bezos made the decision to standardize on Zappos’ technologies and websites (McDonald, 2011). Zappos’ had also created a unique series of technologies that allowed for consumers to inspect entire series of items online and evaluate how they will look in them (Tsuruoka, 2012). Zappos’ had also created an entire corporate culture predicated on delivering exceptionally positive, memorable experiences for anyone purchasing online from them, empowering customer service teams to do whatever it could within the boundaries of profitability and legality to exceed customers’ expectations (Tsuruoka, 2012). The theft of 24 million records was even more surprising given how strong of a culture the company has, one known for promoting worker autonomy and giving them as much freedom as they need to do their jobs (Shine, 2012). The theft had been motivated by the potential to sell the names on the black market for tens of thousands of dollars, a temptation even the relatively well-paid employees of Amazxon.com could not pass up (Letzing, 2012). The breach was discovered within the Amazon Web Services (AWS) team’s audits were completed of transactions across all subsidiaries, including a reconciliation of accesses by role (Letzing, 2012). If Amazon was not able to track the access points and roles of associates looking at data online, chances are this breach would have not been fully found. Given the highly analytical nature of the Amazon.com culture within the AWS business unit, the discovery and reaction to the breach within hours highlights why e-commerce companies need to consider partnering with cloud platform providers for the long-term (Tsuruoka, 2012). If Zappos’ had been in the position of hosting their own website and relying on their own infrastructure, the breach may potentially have never found to the extent to which it happened (Letzing, 2012).

Evaluating Zappos’ eCommerce and Web Presence

Zappo’s strives to create a highly unique customer experience via its website and the many subsections, informational areas, catalog and online ordering applications. The founder and CEO of Zappos’ believes that every aspect of their e-commerce systems, platforms and technologies all need to unify and strengthen the customer experience and create interest and enthusiasm for products (Hsieh, 2010). This unifying of technologies to create a common and convincing experience for customers dominates the founder’s thinking and approach to constructing new promotions and introducing new product lines into the Zappos’ product line (Hsieh, 2010).

The four areas of corporate contact information, customization of products for customers both online and through post-sales processes, support for customer information at purchase and product information are designed on the Zappos’ website to enable the customer to selectively define their own approach to learning and buying. Zappos’ realizes that each of their customer segments have a different approach to navigating across these four areas, often using them in varying ways depending on the products of interest (Hsieh, 2010). Men also have significantly different approaches to navigating these four areas and often compress the time spent on support and product information, moving more rapidly through transactions. Women and families when shopping together however rely on the more integrated nature of these four sections of the website, often evaluating specific products and their look using the advanced catalog features that Zappos’ invented and has a patent on (McDonald, 2011).

The security model for these four locations on the website are all unified in a common security architecture that ensure single sign-on and the use of authentication to the user account level in real-time (Shine, 2012). This enterprise-wide content management system tracks history by item, by application and also stores all previous purchases, often providing recommendations for future products based on what had been bought previously (Tsuruoka, 2012). While many websites have these four sections or subsegments, only Zappos’ has created a unified experience using security to unify personalization across each, down to the ability to track shipments in real-time (McDonald, 2011). Zappos has experimented with customizing products within the limits of their supplier’s manufacturing capabilities and has run test campaigns that allow customers to choose a broader range of options. This strategy is often referred to as build-to-order (BTO) as the product is created to the specific needs and preferences of the customer (McDonald, 2011). Zappos’ also can personalize the pages of each of these four areas, further delivering a highly unique, differentiated shopping experience to their customers as well. All of these factors taken together create a unified customer experience that stays aligned with how customers are also changing how they choose to learn about and buy products. The focus on how to create an effective overall strategy is predicated heavily on the use of analytics across contact information, customization of products, specific locational information and streamlining the purchasing process itself (McDonald, 2011).

Analysis of Zappos’ Competitive Advantages and Marketing Strategies

With Memorial Day this weekend (May 23rd) the front page of the Zappos’ site is dedicated to a holiday sale, with small catalysts also promoting Clearance Swimwear and Clearance Sandals. Zappos’ has also created a series of sliders on their site that take the visitor and customer to specific sale areas as well. All are brightly decorated and clearly designed to evoke activity immediately. There are also multiple areas to opt into the site for specials and for providing additional information to the company to get newsletters and coupons. As Zappos’ is the world’s leading investor in social Customer Relationship Management (CRM) systems and uses analytics heavily to gain greater insights into customer behavior, it is apparent the site is designed for quickly launching and managing promotional campaigns (Hsieh, 2010). What makes Zappos’ unique is that all of the various sales and program items lead to a common series of purchasing screens that vary by interest area and previous purchasing (McDonald, 2011).. The actual check-out process is defined and guided by the personalization history and logic created by the e-commerce platform itself.

Analysis of Zappos’ Security and Privacy Strategies

Up until the breach, Zappos’ security strategies were based on relatively simple 128-bit encryption that ensured their databases could not be hacked from within a browser session. Based on the analysis completed by AWS when running periodic audits of customer records access, it was determined that the hackers, who were Amazon employees working in the distribution center, had gained access using key logger software (Letzing, 2012). To defeat this potential threat in the future, the logins and password for all systems in the warehouse were changed and authentication to just the work area of the center was changed (Tsuruoka, 2012). Today only a General Manager of a distribution center can gain access to the databases where customer records are kept and only by role access privileges can they even see them, which were a requirement of customers who were outraged by the breach (Shine, 2012).

Providing Greater Security for Customers: Two Alternatives

The most effective security strategy Amazon can take in light of the breach of their confidential data from internally is defining more rigorous role-based authentication to the data level. This would alleviate the threat of anyone in the warehouse hacking into the data sets, and would even require multiple access privileges to even see customer data (McDonald, 2011). The technologies behind these authentication techniques would also audit and report any and all potential hacking attempts including those that are unsuccessful. As second approach to minimizing threats is to completely redefine the underlying security architecture, forcing authentication through standardized security protocols, and changing the level of security layers to ensure more effective blocking of hacking attempts. The use of constraint-based technologies to capture potential hacking threats and reroute them off the site, blocking all access, is also an option (McDonald, 2011).

References

Hsieh, T. (2010, Zappos CEO on going to extremes for customers. Harvard Business Review, 88(7)

Letzing, J. (2012, Jan 16). Zappos says customer database hacked. Wall Street Journal (Online)

McDonald, S. (2011). Delivering happiness: A path to profits, passion and purpose. American Economist, 56(1), 127-128.

Shine, C. (2012, Jan 18). Zappos customers express anger, support, and frustration over security breach. McClatchy – Tribune Business News, pp. n/a.

Tsuruoka, D. (2012, Apr 03). Zappos breach a harbinger of more threats? layered defense key rising sophistication of professional hackers tests website security. Investors Business Daily, pp. A04.