FinTech: The hidden cost of a major IT security breach

When hackers broke into the servers of Zappos.Com, they were able to access up to 24 million users' accounts.

Zappos.com, on discovering the breach, did three things first. They shut down all access to the website and removed all contact information except for a single e-mail address. They suspended all customer accounts and forced a password change. And they wrote to every customer explaining what had happened, telling them what had happened and what was being done to secure accounts.

Yet, all of this was despite the fact that the server that was hacked did not include credit card or payment information (save the last four digits of a registered card). However, other personal identifiers were at risk.

Their mail servers became overloaded: it was not a denial of service attack but, simply, the volume of e-mails in and out slowed the system. It was therefore several hours before even an automated reply was recieved to enquiries. But if e-mail was slow, that was nothing compared to the problems the company foresaw if it tried to handle enquiries by phone.

The reply showed in graphic detail just how much disruption can be caused to a business by an event of this nature.

"In order to service as many customer
einquiries as possible, we will be asking all employees at our headquarters, regardless of department, to help with assisting customers. Due to the volume of inquiries we are expecting, we realised that we could serve the most customers by answering their questions by email. We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)

"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed.

"Over the next day or so, we will be training everyone on the specifics of how to best help our customers through their password change process now that their passwords have been reset and expired. We need all hands on deck to help get through this."

As an object lesson in how to communicate with a huge and seriously angry / anxious customer base, the e-mail is excellent. But behind it lies a corporate pain that only businesses with large and very diverse customer bases can relate to.

That'll be banks, insurance companies and securities houses, then.

But the risk is that such a strategy can backfire. The compan is, effectively, closed for business while the crisis is resolved. Some will see that as responsible. Others will switch to other retailers and business will be lost. If that were to happen because a business had done the right thing, it would be unfortunate.

Banks and securities houses (in particular) cannot just close their electronic doors for a few days. Using on-line services is not the same as buying a pair of shoes. Any outage can have serious detrimental effects on customers. Just ask the Australian banks who have had a series of failures where salaries have not arrived and as a result loan payments have not been met. Some customers found penalties were applied which caused serious upset.

While financial institutions are, without doubt, trying to ensure their networks are secure, the Zappos.Com case provides fresh impetus.