UPDATE: Online retailer Zappos said that its network has been compromised and attackers were able to access personal information belonging to more than 24 million of its customers. Zappos said that its database that contains customers’ credit card numbers was not compromised, however.
“We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky. We are cooperating with law enforcement to undergo an exhaustive investigation,” Tony Hsieh, the company CEO, said in an email to employees.
“Because of the nature of the investigation, the information in this email is being sent a bit more formally, and unfortunately we are not able to provide any more details about specifics of the attack beyond what is in this email and the link at the end of this email, but we can say that THE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.”
Zappos is a large retailer, mainly known for its shoe business. But the company also sells a large range of other goods, including clothing and accessories. As a result of the data breach, Zappos already has expired all of the affected customers’ passwords and is requiring them to reset their credentials.
“We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers’ critical credit card and other payment data was not affected or accessed,” Hsieh said in his email.
A company spokesperson declined to comment on the breach, but directed inquiries to the letter by CEO Hsieh. The company has temporarily disabled its phone lines due to an overwhelming volume of calls and has pulled its “entire staff” to the job of informing its 24 million customers and prompting them to update their password.
Zappos has created a site with information for customers who are affected by the data breach, which can be found here.