Being Ready for a Crisis

Of the many well-publicized cyber-attacks that have occurred in the past decade, at least one was noteworthy because it failed to bring a company down. On the morning of Jan. 16, 2012, millions of people awoke to the news that every online shopper dreads: Zappos, a leading retailer of shoes, apparel, and accessories, had been the victim of a cyber-breach that captured information from as many as 24 million customer accounts. Major news outlets, financial websites, and security blogs all published headlines covering the crisis at Zappos, which had been acquired by publicly traded Amazon just three years prior in a deal worth US$1.2 billion.

The online retailer immediately announced the launch of measures to reduce the impact of the crisis. But the most critical factor in surviving the attack didn’t need to be launched. The company had already put preventive measures in place, long before the hack was discovered. For example, it had stored customer passwords and credit card information on a separate server from other customer details, a server that was ultimately found to be uncompromised by the cyber-attack. Zappos also had used hashtag encryption to conceal customer passwords. Had the hackers accessed the relevant server, they would have seen “##########” in place of the actual passwords.

These precautions were considered leading-edge practices for protecting customer information from cyber-attack, but they were most noteworthy for something that had little to do with technology. They were part of a comprehensive crisis response plan that articulated the capabilities that Zappos would need if a cyber-attack — or any other type of business-disrupting crisis — occurred.