2012 Has Delivered Her First Giant Data Breach

Tuesday, January 17, 2012

Josh Shaul

3750d420f6c2a9844b529978894dc0be

This weekend, Amazon’s Zappos.com revealed that they had fallen victim to a massive data breach that exposed the personal information of 24 million customers.

It’s the same story we’ve heard over and over again.

Attackers were able to penetrate the databases that store vast caches of customer information, such as names, addresses, email addresses, passwords (cryptographically scrambled – but still quite crackable), last 4 digits of credit card numbers, and other information.

Amazon acquired Zappos in 2009 for more than $1 billion.

Based on the limited details that have been disclosed so far, this looks to me like an opportunistic attack that took advantage of vulnerabilities that were exposed to the outside world. More than likely, Zappos was running a web application that was vulnerable to SQL Injection.

Opportunistic thieves have been able to largely automate the search for this type of weakness across the internet. Once they come across a hole they can exploit, they decide if the target is valuable enough, and if so, they proceed. With a target as large and valuable as Zappos, I imagine the decision to proceed with the attack was an easy one to make.

This is yet another in a seemingly endless string of data theft incidents that demonstrate the inadequacy of today’s state of data protection. I’ll bet that Zappos has modern firewalls protecting their network and applications.

I’ll also bet that Zappos also has all of their clients and end points protected by Anti-Virus. But even with those security measures (and I’m sure several more) in place, their data was still left unprotected.

We’ve been saying for years that corporate information security is like a Tootsie Pop, hard and crunchy on the outside, but soft and chewy in the middle. When the hackers found a hole in that hard exterior, they gained unfettered access to the good stuff on the inside.

Let’s all remind ourselves that hackers are out to steal our data – perhaps we should get much more aggressive about protecting that data directly. With well over 100 million records stolen over the last 30 days, it’s become impossible to argue that protecting the “network” prevents the data from being stolen from that network.

If you’re a customer of Zappos.com, you’re in for some hassles. First and foremost, if you use the same passwords on multiple sites, assume your password has been compromised and go change it.

Start with your email account, as the attackers may already have all the info they need (your email address and password) to login.

Next, be on the lookout for phishing and other scams. Your personal info is out there, someone that knows your name, address and last 4 credit card digits may very well be a thief posing as your bank or a merchant where you shop.

Best bet is not to give out any information whatsoever to unsolicited emailers or callers (even folks you do business with). Pay close attention to your credit card bills and bank statements looking for unusual charges, and consider replacing any credit cards you have used at Zappos.

Finally, start asking your vendors about data security. What are they doing to protect your information? How can you know they are trustworthy with your data?

We consumers need to pressure business to change their practices and protect our information. By asking questions, we’ll force organizations to recognize the importance of effective security, and to either do it properly or lose customers to a competitor who will. 

Possibly Related Articles:
17170
Breaches
Information Security
SQl Injection Data Loss Phishing Databases Web Application Security Personally Identifiable Information hackers breach TeamSHATTER Josh Shaul 2012 Zappos.com
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.