Online shoe retailer Zappos.com reported this week that one of its customer database servers was compromised by hackers over the weekend. The initial reports, however, were not that alarming.
After all, the company said hackers were not able to get access to customers' credit card information. The company is requiring all 24 million customers to reset their account passwords.
While all of this may be slightly reassuring – as reassuring as data breaches can be – one security expert says it's still a very serious breach.
“Zappos said that credit card information was not stolen, but acknowledged that email addresses, billing and shipping addresses, phone numbers, and the last four digits from credit cards may have been compromised,” said Stephen B. Wicker, Cornell professor of Electrical and Computer Engineering. “This is a lopsided outcome for the customer.”
Wicker conducts research in wireless information networks. He focuses on networking technology, law, and sociology, and how regulation can affect the privacy and speech rights. He is the author of the book “Cellular Convergence and the Death of Privacy,” to be published by Oxford University Press at the end of 2012.
The bigger problem
“The bigger problem Zappos faces is that large databases of consumer information can be used for identity theft,” Wicker said. “As Zappos acknowledged, users who use the same or similar passwords are at risk of theft through access to other sites such as Amazon or Ebay.”
Wicker says information about a customer can be used to “de-anonymize” other databases on other Web sites, further invading customer privacy. In other words, hackers can begin building databases on individuals, piecing together bits of data from a variety of sources.
“Correlation attacks enabled by such data have been shown to strip anonymity from NetFlix, AOL and other databases that were assumed safe,” Wicker warned. “Thus, the information used can include customer preferences, beliefs and practices that are far harder to change than a credit card number.”
Wicker says he thinks Zappos responded quickly and correctly, calling the response admirable for its forthrightness and immediacy. But he says it's also a reminder of the risk run when online service providers maintain databases of user data. This is a practice that many, many web site and service providers engage in for convenience and, in some cases, for profit.
“This is a practice that a networked society cannot afford for the long term if individual privacy is to be preserved,” Wicker said.