For information security, the year 2012 has indeed started off with a shocking note. Zappos.com, one of the largest online retailers dealing with shoes and apparels, has become the latest victim of a cyber-attack affecting over 24 million customer accounts in its database.
A cyber-criminal had apparently gained access to the internal network and systems of Zappos through one of their servers in Kentucky. In its email notification to its 24 million customers, Zappos has reportedly stated: “there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password)”. However, in a big relief, the database that stores the critical credit card and other payment data was not affected or accessed.
Zappos.com has promptly initiated security precautions by resetting the passwords of users, creating awareness on phishing attacks and recommending its customers to reset their passwords in other websites too, in case they had used the same password.
Citing an investigation by FBI into the security breach, Zappos.com has not revealed the specifics of the attack. As a result, it is not known how the breach occurred. The modus-operandi of the hacker and other details that would be required to do a post-mortem on the incident are not available.
As things stand today, though it is not possible and fair to comment on the security practices or lapses on the part of Zappos, it is worthwhile to dwell on the cyber-incidents happened in the recent past and draw lessons that could help prevent security incidents in other enterprises in future.
Researchers repeatedly point out that cyber-crimes and identity theft incidents are growing at unprecedented rates and will only keep growing in 2012 due to many reasons, including economic situation, social factors and technological advancements that make the tech-savvy criminals more creative every passing day.
Achieving the highest level of information security is the obvious goal for IT and other enterprises. But, this goal is fraught with two main challenges:
External Attacks – Enterprises come into contact with a variety of people in a variety of ways. Sensitive information and IT resources need to be exposed or shared with partners, agencies and even customers. In many businesses, an ever increasing number of customers turn to information technology to access various services . All these make the enterprises vulnerable to data breaches and cyber-attacks from amateur and expert hackers.
Internal Threats – Threat to information security does not always develop from outside. It could well be generating right inside the organization. Disgruntled staff, greedy techies, tech-savvy contractors and sacked employees could act with malicious intent and misuse privileged access. The business and reputation of some of the world’s mightiest organizations, including many government agencies have been shattered in the past by a handful of malicious insiders.
In the next part of this blog, lets us analyze how threats develop in enterprises, the causes and the ways to tackle the challenge.
ManageEngine Password Manager Pro
Quick Video| Free Trial Download| White Papers | Success Stories