The Zappos Retail Inc. data breach, wherein thieves stole partial credit-card numbers from the shoe-marketing giant, may demonstrate that merchants have taken key steps to prevent the theft of full account numbers.
The bad news for merchants is the growing awareness that scrupulously following the Payment Card Industry Data Security Standard guidelines no longer is enough to protect against hackers seeking other types of stored customer information useful for perpetrating fraud.
"The target for hackers is expanding," says Todd Thiemann, senior director for product marketing at Vormetric Inc., a provider of data-encryption services for merchants complying with the PCI standards. "It's not just card data hackers are after anymore."
Hackers are also after email addresses, phone numbers and other information they can use to facilitate fraud, he says.
In a departure from some other high-profile data breaches in recent years, this time thieves stole only the last four digits of consumers' credit card numbers, Zappos told some 24 million customers in a Jan. 15 email. Zappos, an Amazon Inc. unit, is one of the world's largest online footwear and accessories sellers.
An unauthorized party may have obtained "one or more" elements of customers' personal data, including names, email addresses, billing and shipping addresses and phone numbers, along with the last four digits of credit card numbers, Zappos said in its email.
The Zappos breach has some similarities to an incident at email marketing company Alliance Data Systems Corp.'s Epsilon unit in March, in which customers' emails and other data were exposed, raising the threat of identity fraud and phishing scams.
Although details are scant and Zappos executives were not available for comment, security experts say it appears that Zappos was in compliance with PCI standards, which require companies handling payment card data to encrypt full credit card numbers or avoid storing the entire number in case of unauthorized data exposure.
"This incident shows that merchants are definitely getting better about protecting card data," says Jose Diaz, director of technical and strategic business development for Weston, Fla.-based Thales e-security, which provides encryption technology. "It is a sign of real progress for PCI adoption."
But merchants now face the escalating risk of other types of consumer data they may leave exposed.
Zappos urged its customers to create new account passwords, and warned them to beware of e-mail or telephone scams that might attempt to use data obtained in the breach to extract further data they could harness for fraudulent purposes.
"The Zappos incident shows that companies really need to consider encrypting all types of customer data, not just payment card data, because of the growing number of data breaches and overall risk unencrypted data poses," Thiemann says.
Once companies have invested in the infrastructure to enable advanced data encryption, the investment to expand that technology to other data is relatively affordable, Diaz says.
Such an expansion "may be what companies that deal with a lot of personal customer data may need to do," he says.
So far, PCI standards require no encryption of broad types of customer data, including e-mail and shipping addresses and phone numbers, Diaz says. But for merchants that want to fully protect data and avoid costly problems, "encrypting all types of consumer data is a good practice," he says.