Breach Lesson: Pay Attention to StorageZappos Incident Highlights Need to Limit Data Retained
In the Zappos breach, which affected 24 million customers, a hacker gained unauthorized access to customer account information, including names, e-mail addresses, billing and shipping addresses, phone numbers, the last four digits of credit card numbers and encrypted passwords.
In an interview with Information Security Media Group's Howard Anderson (transcript below), Cate asks a number of questions, including:
- Why was Zappos hanging onto the information?
- Why wasn't it encrypted?
- Why did the company consolidate the information so that a thief could steal it all from one location?
In the wake of the Zappos.com incident, Cate suggests other organizations need to consider: "Are you collecting and storing more data than you need, because if you are you're taking on more risks then you need to."
In the interview, Cate also:
- Says consumers "have good reason to be concerned" about the potential for fraud based on the information that was accessed in the breach;
- Describes specific risks that Zappos' customers face, including potential exposure to phishing attacks;
- Provides advice to consumers on how to help protect themselves, such as by using different passwords on every website and being cautious when responding to suspicious e-mail asking them for information.
Cate is a Distinguished Professor and C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law. He is the director of the university's Center for Law, Ethics and Applied Research in Health Information and director of the Center for Applied Cybersecurity Research.
Zappos Breach Risks
HOWARD ANDERSON: Zappos customers are receiving notifications that some of their personal data has been compromised in a massive cyber attack. The company's CEO is stressing that customers' credit card and other payment data were not affected by the breach. Nevertheless, I understand that you believe there are some major risks involved as a result of this incident. What information that was breached poses risks and why?
FRED CATE: I think there are risks here. First of all, though it didn't include complete credit card numbers, it did include the last four digits of customer credit card numbers, so it's not entirely accurate for Zappos to say that no payment information was involved. I think another reason for concern is that the information that was released - name, address, e-mail address, telephone number, last four digits of the credit card number - is precisely the type of information that businesses today use when they're trying to verify themselves to you. They'll say, "We're writing you about the account in these four numbers, or "we're writing you and to prove that we know who you are; we're going to provide some additional information such as your home phone number." That's precisely the information that was taken in the Zappos breach, so I think consumers have good reason to be concerned.
Three Risk Categories
ANDERSON: I understand that you believe that there are three major categories of risk to consumers in this case. Can you describe each of those for us?
CATE: One is that the information that's taken is used in a way in which other companies are impersonated by phishers - the people who send these e-mails purporting to come from a legitimate business that you may work with, but instead they're coming from a fraudster. So somebody sends an e-mail and they say, "You need to update your account information; it's the account ending with the last four digits of your credit-card number." And because the phishers will now have this amount of information, you fall for it. You provide them the information and statistically we know that about 90 percent of Americans say that they have fallen for phishing messages, and they're a very effective type of fraud.
A second reason for concern is that this is precisely the information that you can use to find out other information about people. If I have your name and I have your address, I'm already well on my way, for example, to getting the property tax records or to getting marriage or birth or death records. That information can then be combined with the data that was also stolen in the Zappos attack and again used to ... create a more complete customer profile. For example, here in Indiana quite recently, we had a fraud ... where somebody called a woman and they claimed to be her grandson and they had been arrested in Bolivia and they needed bail money. Well, they knew enough information about the grandson to convince this woman over a bad, crackly international line that it was her grandson, and she sent the money they requested - money she'll never see again since it was a fraud. Being able to take some information and combine it with other information and then use that for fraud is a major concern.
Then, I think a third reason for concern is the data stolen in the Zappos attack included encrypted passwords and e-mail addresses. Now, we know e-mail addresses are most commonly used as account names online. In fact, many, many websites make you use your e-mail address as your account name. As for encrypted passwords - the question is how well were they encrypted. So far, Zappos has not been willing to say, but most encryption can be broken eventually. Much encryption can be broken almost instantly. So imagine now the people who launched the attack on Zappos with 24 million e-mail addresses and matching passwords. Of course, what makes that a really dangerous combination is that most of us reuse passwords on other sites. So, the warning is not just that you may be in danger on the Zappos site - probably not endangered at all since they automatically reset all of those passwords - it's that you might be in danger on some other site where you have reused that password.
Steps to Minimize Risks
ANDERSON: What advice would you give consumers on steps they can take to minimize these risks you've just described?
CATE: Many things that consumers can do ... are things that we already know we should be doing, but we don't always do. One is you should be using a different password on every site, even if you have to write them down. It's better to have a list of your passwords then to find out when somebody steals one, they've got them all. That's especially important now. If you had a password on the Zappos site that was compromised in this breach and you use the same password on other retail sites or other banking sites, it's important to go in immediately and changed those passwords. Just put in different passwords and you've gone a long way to protecting yourself.
I think a second really critical step is it calls for a lot of caution. We don't have any good, bright-line rules here. We don't have some tell-tale sign we can say to look for, but [beware of] an e-mail address or a phone call or even a fax - fraud occurs in all of these ways - asking for either more information or for you to do something that might be unusual: transfer money, provide your account information. That's a really good sign to stop and say, "Wait, I'm not going to respond to that. If I need to provide my information, I'm going to provide it the usual way. I'm going to call the business or I'm going to access its website. I'm not going to go through a message." [It's] a certain amount of just being wide awake, being conscious and careful, and especially timid, knowing that this additional amount of information is out there; and, of course, Zappos is only the most recent in a series of high-visibility, very high-stakes attacks.
What we know is that the information is being collected. It's not just stolen and used and discarded. It's stolen, maybe used, but it has certainly been held onto for future use.
ANDERSON: Finally, what steps would you like to see Zappos take to better educate its customers about the risks they face, and what can other organizations learn from the company's handling of this breach regarding how to notify those affected and help them minimize risk?
CATE: Well first of all, Zappos deserves a lot of credit. It responded quickly. It responded very directly. It's taking it very seriously, which is not true of all corporations that suffer breaches. And I think in many ways we will look back on Zappos as having done a good job here.
Having said that, I think there are some reasons to be critical of Zappos as well. One is, I did think the kind of emphasis that credit card data wasn't taken both was inaccurate and also highly misleading. Second of all, there's a pretty good question as to why Zappos was hanging on to that information. In other words, why did they need all that information? Why, if they needed it, wasn't it all stored encrypted, rather than stored in plain text except for the passwords? Why had they consolidated the information so that a thief could steal it all from one location? These might suggest important lessons for other businesses to say, "Are you collecting and storing more data than you need, because if you are you're taking on more risks then you need to face."
For example, could you store the data on a cookie, on a local computer user's hard drive so that if the user orders from Zappos, he/she would store the order information address and credit card right there on a local cookie with only one person's information in it? That way, if they order again, the information would still be accessible to them, but it wouldn't be around in a large database - something that could be easily targeted by third-party criminals.