Lessons Learned from the Zappos Breach
When CRM is your life, customer data is your lifeblood. And your blood likely ran cold when you heard that as many as 24 million Zappos customer records had been obtained by hackers. The data exposed wasn't limited to credit card numbers—email addresses, physical addresses, and other personally identifiable information were lost as well. And the company is now paying the price, literally and figuratively, with lawsuits coming at them from every direction. When your customers are in every state in the union, and at least as many countries, your business is subject to an equally large number of data protection and breach notification laws.
All of the work you do to build relationships that form the foundation of your company's revenue growth plans can be lost in the nanosecond it takes for a hacker to get past your data defenses. So here's a look at the CRM lessons to be learned from the Zappos case. I've also included a brief explanation of the different technologies available to help secure your data.
Lesson #1: It's not just about credit card protection
Zappos appears to have assumed that abiding by the rules governing the protection of customers' credit card data—the PCI-DSS (Payment Card Information–Data Security Standards) regulations—was enough. Since only the last four digits of customers' credit card numbers were stolen, they were technically in compliance.
But the hackers simply moved on to the lower-hanging fruit—the personally identifiable information that would enable them to extract the financial information they really wanted directly from the customer. In the Zappos case, the personal information was clearly inadequately protected. Today's cybercriminals are technically sophisticated and passwords alone, however "strong," are not enough to protect the lifeblood of your business. You must protect the data itself, not just the access to that data. Once the password is cracked, the data is gone.
Lesson #2: Don't put the burden of security on your customers
By requiring customers to change their passwords following the breach, Zappos was putting the onus on its customers to fix the problem—not to mention shutting the stable door long after the horse had bolted. They compounded the error by emailing that information to customers and closing down the phone lines. By allowing hackers access to email addresses and other personal information, Zappos had provided them with everything they needed to set up a look-alike Web site and go on a major phishing expedition for both personal and payment card data. And by closing down the phone lines, the company removed the only real way customers could verify the information being emailed to them.
Lesson #3: Embed data protection into your business's DNA
Quite simply, if your business is relying on passwords to protect customer data, you shouldn't be in business. That goes double if you're storing that data in a third-party data center, cloud-based or otherwise. How many database administrators have access to your data? What would happen if one of them had a really bad day at work and decided to put the database access controls up for auction on a black-market site?
Data protection is about more than compliance; it's about connecting the dots between data protection and data value. It's time to move away from the "knee-jerk, just pay what it costs" approach and evaluate security in much the same way as other company expenditures, keeping cost versus benefit (customer value) ratios firmly in mind. Your business has invested significant time and resources building a repository of customer data that can be mined and manipulated to deliver the optimal return on that investment. Give it the level of protection it deserves.
So what's a business to do?
Securing so-called "big data"—the vast, invaluable, and ever-growing information repository that businesses hold about their customers and prospects—seems daunting. The data may even not be under the business's direct control at all times, especially if cloud storage is involved. Data protection mandates are constantly evolving, as is the technology to handle that data protection. So it's incumbent on everyone involved with CRM strategy and implementation to understand the basic building blocks of data protection.
There are two basic technologies in data protection—encryption and tokenization. Each has its strengths and weaknesses, so let's take a quick look at the value each delivers, and how they can be used to maximum value.
Encryption has been widely used for decades, and continues to play an important role in the overall data protection strategy. Encryption essentially involves the use of a specific mathematical algorithm to translate sensitive data into a binary form; a master "key" is required to decrypt the data and return it to a form usable by humans. A number of different approaches to encryption are in use today, including "formatted," "strong," and "end-to-end."
Encryption can be used with any type of data, structured or unstructured, including graphics, sound files, and other nontext information. Some data protection mandates require the use of encryption in certain situations. However, encrypted data must be unencrypted for mining and analysis, rendering it vulnerable again. The encryption keys must be regularly changed to minimize the likelihood of a breach, again creating vulnerability. If the encryption key is cracked or stolen, all that sensitive data can immediately be unlocked by a hacker.
Several years ago, tokenization emerged as a "next generation" approach to protecting data, particularly structured data, such as that found in CRM databases. Instead of using a mathematical algorithm to mask sensitive data, tokenization replaces that data with randomized "tokens" (character strings) that are meaningless to anyone gaining unauthorized access to that data. Those tokens use a token "lookup table" to unscramble the data and return it to a readable form. You may hear different types of tokenization referenced, including "static," "dynamic," and "in memory."
Tokenization is less vulnerable to hacking than encryption, because even if hackers obtain the tokens, without the token lookup table, the data remains inaccessible. Tokenized data can be used in a "safe mode" that enables the data to still be mined and manipulated without risking its security. Tokenization also reduces the "scope" of PCI compliance audits.
However, tokenization today can only be used with structured data; multimedia files such as call center recordings or patent illustrations, narrative text, and other free-form information need to be encrypted.
In light of the Zappos incident, it's essential that you take an active role when your business is re-evaluating its data security strategy.
Raul Ortega is vice president of research and development at Protegrity, a provider of end-to-end data security solutions.