The Zappos breach is generating a lot of conversation among people who have no interest whatsoever in overall cybersecurity. When places like Lockheed Martin or RSA suffer a breach, the average person doesn't think twice about it. They may not even know the breach happened unless it is headlined on a news site, and even then, what are the chances they'll even read the piece? But it is a whole different matter when you get a letter saying that your own information may have been compromised. People take notice. They chat about it. They worry about it. One friend came out and said that a breach like this is why she avoids shopping online; she can't trust it.
For the business world, I think one lesson of the Zappos breach comes from the reactions of the company and the customers. No doubt about it, a breach will cause some damage to the company brand. How much damage will depend on the company action. (I'm not sure that Sony has totally regained the trust of its customer base. I personally know more than a few people who canceled their accounts and walked away, not because of the breach but because of the way Sony handled it.)
Zappos appeared to do the right thing; it sent out emails to customers to warn them of the breach and urged them to change their password to the site. My friends reported that they were getting responses to their questions from customer service. But, those same friends said that the letter to change their password worried them enough to ask if they should be doing more to protect their information after the fact.
Overall, the Zappos response strategy is "not a good idea," contends John D'Arcy, assistant professor of information technology at the University of Notre Dame. The Zappos decision to terminate customer password access creates a situation that makes it appear "it's a panic mode" and would likely create a sense of panic. Other analysts generally praised the Zappos response. Gartner analyst John Pescatore, while noting he doesn't know if Zappos sufficiently protected its systems or not, said he finds the Zappo public response to be a good one so far, especially in terms of communicating publicly, adding "avoiding exposures of course is much better."
One thing I found interesting from the discussion with my friends was that they didn't know for certain if the email they got was legitimate or a phishing scheme. That concern needs to be taken seriously. As Neil Roiter, director of research, Corero Network Security, told me:
Although Zappos apparently took standard security measures to protect customers' credit card information and passwords, we can expect the attackers to use the stolen information-names, email addresses, billing and shipping information and the last four digits of credit cards - to launch social engineering attacks to exploit Zappos customers.
One of my friends took the right approach. She did not click on the link enclosed in the email, but went directly to the site by entering the site's URL herself.