This paper examines critical information technology security vulnerabilities affecting Zappos.com, a leading online retailer of apparel and footwear. The analysis identifies specific security failures, including disabled Trustwave protection, SSL/TLS vulnerabilities, and the Heartbleed OpenSSL bug, which collectively threaten customer data protection. The paper evaluates how these security gaps conflict with Zappos' reputation for customer service excellence and proposes implementing Fixed OpenSSL across the entire organization and supply chain while resolving outstanding Trustwave certification issues to restore customer trust and protect sensitive information.
Established in 1999, Zappos.com, operated and maintained by Zappos IP, Inc. (hereinafter alternatively "Zappos" or "the company"), has emerged in recent years as one of the leading providers of online apparel and footwear sales. The company has achieved its success through a combination of top-notch customer service, innovative marketing and order fulfillment practices, as well as providing customers with an enormous array of selections. Currently, Zappos.com features millions of products from more than one thousand shoe and clothing brands. For six years running, Zappos.com has been designated as one of the Fortune 100's Best Companies to Work For. Moreover, Zappos.com has been rated as "Elite" by STELLA Service and has been designated one of just forty J.D. Power Customer Service Champions in the United States in 2011.
However, despite this sterling reputation for customer service excellence, Zappos has experienced significant information technology security issues in recent months. This paper provides an analysis, evaluation, and synthesis of the critical security problems facing Zappos and the best solution for addressing them. A summary of research findings concerning these information security issues is provided in the conclusion.
Companies that use a website as their central business hub for integrated marketing must provide a comprehensive approach to customer service. Irrespective of the type of platforms used for customer interactions, the overarching objective is to develop positive rapport with customers to build loyalty and repeat business. According to business analyst W.J. Cusick, "Zappos understands that—Web company or not—the true customer experience is the cumulative effect of all interactions and communications on the customer's perception of the company."
While Zappos has managed to deliver the high quality of customer service needed to build and sustain a successful enterprise, the company has experienced serious information technology security issues. These vulnerabilities directly threaten the trust that customers place in the company's ability to protect their personal and financial information.
On the company's website page "Protecting Your Personal Information," Zappos claims that personal customer information is thoroughly protected by Trustwave. The site encourages visitors to "Click on the Trustwave Trusted Commerce Seal for details regarding the Trustwave compliance and security services provided to Zappos. You can also find verification of this certificate on some Zappos.com secure pages, like our checkout and billing pages."
However, when visitors click on the Trustwave Trusted Commercial Seal, the following message appears:
Trustwave does not recognize this organization. Trustwave Holdings, Inc. makes no representation or warranty as to whether systems are secure from either an internal or external attack or whether cardholder data is at risk of being compromised. Trustwave Holdings, Inc. makes no representations or warranties regarding this company's business activities or operations.
An email query concerning this discrepancy directed to the customer service department at Zappos remained unanswered at the time of this writing. Despite this incongruence, Zappos continues to emphasize the protections afforded by the Trustwave service on its website. Additionally, the company's website instructs visitors that "While on one of these pages, simply click on the key or lock image in the bottom bar of your browser window. A window will appear with our site security information." However, a visit to the company's checkout page reveals that no such key or lock image appears in the bottom bar of the browser window, creating further confusion among customers.
The company states that its servers are protected by secure firewalls that provide complete protection for customers. Zappos maintains that "You're absolutely safe while you shop. SSL Technology, Trustwave, and Industry Standard Firewalls all work together to ensure your privacy and to assist in protecting your personal data." Yet not only is the company's Trustwave protection disabled, but Zappos also reported on October 15, 2014, that it had experienced other problems in its IT security systems.
According to a Zappos technician, "Due to the SSL vulnerability that was announced [October 14, 2014], Zappos has taken proactive steps to disable SSLv3/v2. SSL or secure sockets layer provides encryption to prevent your information from being intercepted between you and a service provider, such as Zappos." Rather than fixing the problem outright, the company simply instructs customers to make changes on their own: "If you are using an older browser to connect to our site, you will be impacted by this change and should upgrade to a more secure version."
Tellingly, Zappos' customers would not know about this requirement unless they took the time to explore the company's technology website pages. Additionally, the company continues to experience problems with the manner in which its secure pages are transmitted over different browsers, meaning some customers may not be fully protected until Zappos identifies and resolves the issue.
The company also states that it does not require customers to provide the three-digit security code from the back of their credit cards, as virtually every other online transaction requires. The company justifies this by noting that the code is not required to complete a transaction; however, Zappos also emphasizes that it has employees reviewing transactions for fraudulent activities and that this policy may change in the future.
Finally, a post by the company's information security officer (ZISO) entitled "Heartbleed" (April 17, 2014) reported a major security issue affecting the company's OpenSSL applications. According to the ZISO, a flaw in the company's OpenSSL enables hackers and other perpetrators to defeat its encryption technologies, revealing usernames, passwords, and other sensitive customer information. Notwithstanding assurances from the company that the problem has been resolved, the ZISO concedes that many customers still report having problems with the company's IT security systems.
Information systems and technology (IST) organizational success factors for Zappos directly relate to the company's website hub and the thousands of brands it features. The emerging model being used by Zappos is focused on using its human capital resources to their maximum advantage, particularly with respect to frontline customer service. Indeed, the company proudly notes that it holds the record for a ten-hour-plus customer call. The critical success factors for the company's IT security systems include the extent to which (a) information provides a vehicle for expressing, sharing, and using knowledge, and (b) the tools of information systems and technology are enablers of business processes and networks among employees as well as with customers, suppliers, and partners.
As a critical success factor, the company's customer service is inextricably interrelated to the company's IT security systems. Rather than using an interactive voice response (IVR) system, Zappos employs human representatives who are intensively trained before being allowed to deal with customers. In fact, trainees are paid during their training and even offered a $2,000 bonus to not take the job after completing training—a practice that pays off by providing the company with employees truly committed to the company's vision and ideals.
Furthermore, customer service representatives at Zappos are empowered to take whatever steps are necessary to satisfy customers, including spending extended time on orders and even sending replacement shoes for quality issues without requiring the return of defective merchandise. As Cusick emphasizes, "Zappos trusts you. Let me repeat that. Zappos trusts you. Imagine how that makes you feel as a customer. It's a powerful sentiment and emotion that connects with people at a very deep level." This powerful sentiment, however, can easily be disrupted by flaws in the company's IT security systems, undermining the trust that customers place in the organization with their personal and financial data.
There are several IT security issues facing Zappos at present, with the Trustwave security protections and the Heartbleed Bug being among the most serious. Although the Trustwave issue remained unresolved, steps were taken to address the Heartbleed Bug issue, which represents a serious vulnerability in the widely used OpenSSL cryptographic software library. According to the vendors, "This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging and virtual private networks."
This vulnerability provides a means for unauthorized users to read the memory of online systems that are supposed to be protected by vulnerable versions of the OpenSSL software. As a result, the secret keys used to identify service providers and to encrypt usernames, passwords, and sensitive content are compromised, exposing customer data to potential misuse.
In response, Zappos implemented a patch solution, "Fixed OpenSSL," and reissued the security certificates on its website. The company's initial analysis of the Heartbleed Bug determined that the vulnerability allowed unauthorized users to steal sensitive customer information from its website. The company reports that, "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication."
Subsequent tests following the implementation of the patch indicate this problem has been resolved. The company is also continuing to test its existing security protocols to determine if additional vulnerabilities exist. However, to the extent that vulnerable versions of OpenSSL remain in use across the organization and supply chain, the potential for abuse remains.
The company uses Secure Sockets Layer (SSL) technology to provide customers with online security, including password and credit card information protection, during their shopping experience. The company secures all pages that deal with personal customer information in this manner. Nevertheless, to eliminate the potential for future vulnerabilities, Fixed OpenSSL must be installed by all of the company's supply chain partners to avoid this problem in the future.
Specifically, Zappos should resolve the Trustwave certification issues and install Fixed OpenSSL for all of its employees—including both traditional and virtual teams—as well as across its various departments organization-wide. Additionally, all interorganization communications must be protected by the Fixed OpenSSL solution, and all of the company's global supply chain partners must implement the same security standards to ensure comprehensive protection of customer data throughout the entire ecosystem.
The research showed that Zappos has grown its online business by providing high quality customer service and a broad array of brands. The company's success is threatened, though, by several IT security issues. In response to these problems, the company should resolve the Trustwave issues and install Fixed OpenSSL for all of its 1,500 employees, traditional and virtual teams, as well as its various departments organization-wide. In addition, all interorganization communications must be protected by the Fixed OpenSSL solution as well as all of the company's global supply chain partners. These comprehensive measures are essential to restore and maintain customer trust in Zappos' ability to protect their personal and financial information in an increasingly threatened online environment.
You’re 96% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.