Online clothes and shoes retailer Zappos has admitted being the victim of a cyber attack that could potentially expose sensitive information of its 24 million customers.
Tony Hsieh, CEO of Amazon-owned Zappos, wrote an email to the company’s employees over the weekend, detailing the hack and the response to it.
"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation," he wrote.
He stressed that the server holding credit card details and other payment information was not accessed or affected.
He also posted an email that will be sent to all 24 million customers, which detailed what sensitive information may have been accessed, including names, email addresses, billing and shipping addresses, phone number, the last four digits of customers’ credit cards and "cryptographically scrambled" passwords.
The letter was also posted on Zappos’ website, but the company has since cut international access so it is no longer viewable to those outside the US. A cached version of the letter can be found here.
The company has reset customer passwords and requested that if customers use the same or similar passwords for multiple sites, they are changed as well.
The company has turned off its phone support system as it struggles to cope with calls from worried customers and has instead asked them to get in touch via email.
"We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident," Hsieh’s email added.
The company also stressed that Amazon accounts are not affected.
John Stock, senior security consultant at vulnerability management company Outpost24 wonders if it is too much to ask for retailers to protect their customers’ data, as well as their own networks, in this tech savvy day and age.
"As customers affected by this breach spend the next few weeks and months sifting through a deluge of phishing emails and checking credit card statements with a fine-toothed comb," he added, "organisations would be well advised to check that their security procedures are all in order.