HENDERSON, Nev., Jan. 16 (UPI) — A cyberattack forced online U.S. shoe and apparel retailer Zappos.com to notify its 24 million customers about the serious security breach.
In a notice to company employees posted on its Web site Sunday night, Zappos.com Chief Executive Officer Tony Hsieh said customers would need to create new passwords to access their accounts.
“We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky,” said Hsieh, whose company does a billion dollars in sales annually. “We are cooperating with the FBI to undergo an exhaustive investigation.”
He said while he couldn’t provide further details about the specifics of the cyberattack, “we can say that the secure database that stores our customers’ critical credit card and other payment data was not affected or accessed.”
The message to the company’s 1,500 employees said customers would be receiving an e-mail telling them the “bad news” and “better news.”
The bad news, Hsieh said, was the hackers gained access to some account information, “including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).”
The better news, he said, was the company’s secure database that stores customers’ “critical” credit card and other payment data “was not affected or accessed.”
The Zappos.com memo went on to remind customers the company “will never ask you for personal or account information in an e-mail.”
“Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a Web site where you are asked to provide personal information,” the company message advised. “We also recommend that you change your password on any other Web site where you use the same or a similar password.”
Zappos.com said it was expecting to be deluged with customer phone calls to its Henderson, Nev., headquarters so made “the hard decision to temporarily turn off our phones and direct customers to contact us by e-mail because our phone systems simply aren’t capable of handling so much volume.
“We’ve spent over 12 years building our reputation, brand, and trust with our customers,” Hsieh said. “It’s painful to see us take so many steps back due to a single incident. I supposed the one saving grace is that the secure database that stores our customers’ critical credit card and other payment data was not affected or accessed.”
Zappos.com, founded in 1999, was bought by Amazon.com in 2009 in an all-stock deal worth about $1.2 billion.