So Zappos was breached. It happens every day, certainly far more often than we hear about in the news, and, I suspect, more often than is reported to the appropriate law enforcement agencies, primarily the FBI cyber crimes unit (whose exact name escapes me at the moment).
I have done a lot of work in the cyber security space, in financial and retail, internal corporate and external facing, including compliance with the card industry’s official standard for cyber security, the imaginatively-named PCI-DSS.
I do not know how Zappos has built their internal network. But I can reasonably infer that they did at least a decent job, based on the results of the breach. The most important point is that despite a serious breach, no credit card info was compromised. Not one single complete credit card number was exposed, no security codes (those printed codes on the front of an AmEx and back of all the others) was lost.
Cyber security, like physical security, is built in layers of defense. The goal is both to minimize the probability of breach and assume a breach will happen some time, and thus mitigate the damage. Clearly, Zappos did not store credit card data in the clear with general information, but separately, and, likely, encrypted. They did not store the security codes, as PCI-DSS bans it. This breach hurts, but the impact is more of an annoyance than a serious impact. Further, they properly implemented password changes. They don’t store your password, nor can they email it to you, but rather can enable you to change it.
Most importantly, though, they handled customer relations correctly. They came clean from the beginning, and thus risking public wrath instead won customer trust.
Kudos to Tony Hsieh and his team.