Zappos Breach Shows Hacker Hits Just Keep Coming
As lawsuits against Amazon and Zappos over a recent hacking breach that threatened millions of customer accounts wind through the courts, the elephant in the room is why such incidents keep occurring at firms with deep pockets and lots of security expertise.
Better technology so far has been unable to stop such attacks, even as hundreds of millions people worldwide put sensitive personal and financial data on e-commerce and social media networks.
On Jan. 15, Amazon's (AMZN) online shoe seller Zappos notified its 24 million customers that hackers had stolen account numbers and other customer data from its server network. Zappos said full credit card numbers and other critical data weren't stolen. Still, consumers have filed nearly a dozen class-action lawsuits against Amazon and Zappos over the breach.
Analysts say that despite technology improvements, hackers with enough skill and resources will continue to penetrate the computers of even the most-secured companies.
"The sophistication of professional hackers is continuing to move much faster than the rest of the (security) industry," said Amir Orad, the CEO of Nice Actimize, a New York-based financial services security firm. Actimize is a unit of Israel-based financial security software firm Nice Systems (NICE).
"There are a lot of companies out there that are highly compliant from a security point of view and those that are completely compromised (at risk)," said Martin Roesch, the founder and chief technology officer of network security provider Sourcefire (FIRE). (See Q&A story.)
Orad argues that every improvement in Internet technology potentially spawns a new vulnerability for hackers to exploit.
But the good news, say analysts, is that the strategy of providing "layered defenses" for company data - multiple levels of software defenses - is working, to a point.
An example of a layered defense is using so-called two-factor identification technology that requires an extra means of identification to enter a computer system besides a password. The second ID can consist of a physical card or a separate security code.
Orad says that in the Zappos case, hackers grabbed the last four digits of customer credit cards but failed to get complete numbers. Reports say hackers also failed to get actual passwords. But they got customer names and email addresses, as well as billing and shipping information. Zappos had layered security, says Orad.
"It shows the value of layered security. One has to assume that some of the layers will be breached - if not today, then tomorrow," Orad said, stressing that it's less likely that all the layers can be pierced at once.
But analysts say the futility of creating completely hacker-proof security systems has been dramatized by several incidents in the past few years.
Last March, RSA, the security division of storage giant EMC (EMC), said its computers had been breached by hackers. The EMC unit specializes in two-factor ID technology that's supposed to stop unauthorized access to corporate computer systems. And on Friday, MasterCard and Visa payment processor Global Payments (GPN) announced a security breach that on Monday is said impacted up to 1.5 million credit card accounts.
"It's important not to put all your faith in one security technology," Sourcefire's Roesch said.
In September 2010, a nuclear power plant in Iran was hit by a so-called Stuxnet computer worm that was designed to disrupt power and industrial networks. The attack, which some reports hinted was the work of Israeli hackers, overcame the best cyberdefenses that oil-rich Iran could buy.
Analysts note that well-defended U.S. government computers are hit daily by hackers, sometimes successfully.
Advanced and well-invested Silicon Valley companies like Google (GOOG) also have had their databases penetrated by hackers traced to mainland China.
Orad says the growing severity of hacker attacks will give rise to new industry standards for measuring the adequacy of corporate cyber defenses. He predicts this will take the form of different benchmarks for different industries.
For less sophisticated businesses, Orad says having individual security standards tailored to their industry "offers a good baseline."
Analysts say the best security advice for consumers who use e-commerce and social media sites is to avoid using the same password to access different websites.
Though different passwords are tough to memorize, the practice is always safer than using the same password. Said Orad, "You don't want to have the same key that opens all of your front doors."