fb-pixel Skip to main content

Retail-site attacks may rattle shoppers

Barbara Scott just hit the trifecta of computer security breaches.

Since the New Year, Scott has been a victim of three separate cyberattacks. Two weeks ago, the online auction site eBay said in an e-mail to her that there had been suspicious activity on her account. On Monday, she received an e-mail from Zappos and another from 6PM, two online shoe retailers owned by Amazon. Both messages alerted her that - once again - her information had been compromised.

“It’s disturbing,’’ said Scott, who works in San Diego as a director at Redemtech, a technology services business. “Companies have to do a better job protecting our privacy. You would think companies like eBay and Amazon have the financial backing and wherewithal to take the proper security measures.’’


The breaches at Zappos and 6PM may have compromised account information for 24 million customers - the largest breach of an online retailer since a series of cyberattacks against Sony last year that compromised 100 million customer accounts. The attacks point to an unsettling new world in which even the supposed stalwarts of the Internet - Amazon, eBay, and even the security giants paid to keep hackers at bay - cannot seem to keep personal information safe.

And when there is a security breach, the companies and computer security specialists more often than not resort to telling their consumers that it is up to them to protect their data stored on the company’s servers.

Zappos’ chief executive, Tony Hsieh, said Sunday that customer names, encrypted passwords, phone numbers, e-mail and mailing addresses, and the last four digits of their credit card numbers might have been stolen in the attack. But he noted that the company quickly reset all passwords and that a separate database containing critical credit card information had not been breached.


Hsieh provided no explanation about why the data was vulnerable. He directed customers to an e-mail address because its customer service lines “simply aren’t capable’’ of handling the number of expected customer inquiries.

In an e-mail to The New York Times on Monday, Hsieh said the company did have a security breach response plan in place before the attack but could not discuss the specifics of how it was breached. “Our plan specifically includes not disclosing details of our security processes or procedures,’’ Hsieh said. “Just like you would not expect a casino to disclose when the security guards change shifts.’’

The breaches at Amazon’s sites, combined with several recent cyberattacks, could threaten to shake consumer confidence online. Over the yearend holidays, hackers who said they were members of the group Anonymous attacked the website of Strategic Forecasting, a research firm that specializes in security and intelligence. They dumped personal and payment details for thousands of subscribers.

The White House is working on a plan to increase consumers’ confidence in the security of e-commerce sites. Its initiative, called the National Strategy for Trusted Identities in Cyberspace, works with major vendors - like banks, technology companies, and cellphone service providers - to adopt higher standards for the way companies verify user identities and store personal data online.

But the program is intended to be only one step in a larger process to protect customers’ identities and personal information on the Web, said Jerry Irvine, a member of the National Cyber Security Task Force.


With companies unable to provide a good solution, many companies and security experts throw the burden back to consumers.

“It is always a good practice to use different passwords on different websites,’’ Hsieh advised.