What's hot:
 

, , ,

The Zappos hack: When not to be cute

This morning I, and apparently 24 million other Zappos customers, received an email telling me my personal information had been hacked. Here’s the email:

This appears to be a legit email. Zappos has confirmed the hack on its Twitter feed, on its website, and in a blog post.

First a little bit of background on Zappos, if you haven’t heard of them. They’re an online shoe and accessory store that’s owned by, but operated independently from, Amazon.com. The company is well-regarded in tech and marketing circles. Over the years, they’ve cultivated a loyal fan base by delivering excellent customer service. Their call center is legendary, and their reps are trained to be eager and friendly, and to spend as many hours as it takes on the phone to make every single customer happy. Zappos’s marketing copywriting is usually honest, friendly, and a little funny.

* * * *

And now today, they tried to carry that jovial attitude forward with a crisis-response email. Zappos deserves credit for transparency, and no doubt its fans will support it for that reason. The email contains an apology, and that’s also good.

But it has some serious problems. The email isn’t signed by anyone; it should have come from Tony Hsieh, Zappos’s celebrity CEO, who is well known to the company’s fans. And an attempt to write with a casual, slightly jokey tone fails here. Reading this email, I got a sense that nobody at the company has any idea how to handle a hard situation.

“First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed….

We also recommend that you change your password on any other web site where you use the same or a similar password.”

Zappos lost control of its customer database, so I have to change all my passwords everywhere. And that’s the BETTER NEWS?!

Fuck you too, Zappos!

There’s a lesson here. If you need to write an email telling your customers bad news, do not be cute. That is, don’t start by saying “First, the bad news.”

Apologize in the first paragraph. Put the CEO’s name on it. Offer your customers a really sweet coupon to show you understand how much trouble you’re causing them. Explain in concrete steps what you’re doing to correct the problem.

* * * *

Now a word about transparency. On the company blog, Hsieh shared his message to Zappos employees, calling them all in to work extra hours. He also reveals that Zappos is disconnecting its famous call center:

“We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume.”

Transparency ought to encourage a company to do the right action every time, by being accountable to customers for all decisions. Unfortunately, when you don’t know what you’re doing—ie., your call center isn’t up to the task—transparency makes your flaws obvious to everyone.

It also makes it glaringly obvious when information is being withheld. In this case, none of the communication reveals when the supposed hack occurred; Hsieh only says “recently.” Did it happen yesterday? Or did it happen days ago, and it took the company a while to get its ducks in a row? Or worse, was a holiday Monday when the stock markets are closed the most financially convenient time to reveal the news?

Zappos’s early reaction makes me think the company is run by clowns and amateurs who can’t handle a crisis. This might not be the case. But the size of this debacle, and the words they’ve chosen to explain it, aren’t helping.

— By Daryl Lang. Filed under Marketing

6 comments

  1. David says:

    I, too, had a similar reaction to the email. It seemed a bit breezy. “Someone has all your personal info, but hey, at least you don’t have to worry about them buying shoes in your name because we reset your Zappos password, heh heh.”

    But I didn’t have the same reaction you did about the recommendation that you “change your password on any other web site where you use the same or a similar password.”

    You wrote: “Zappos lost control of its customer database, so I have to change all my passwords everywhere.”

    As I’m sure you know, you should not be using the same/similar password on more than one site. There’s no excuse for that anymore with apps like 1Password available for every major OS. See https://agilebits.com/onepassword. Buy it, install it, and use it. Easily create and manage unique passwords you don’t need to memorize. (Although it does more than that, too). Great tool.

  2. nixie says:

    I’ve been trying to reset my passwords all morning and never received the second email after submitting my info. I figure they are overwhelmed, but what a cluster! And I agree that they seem to be making light of this in the email.

  3. Alex says:

    “THE BETTER NEWS:

    The database that stores your critical credit card and other payment data was NOT affected or accessed…”

    That is the extent of the better news. The next paragraphs begins “We also recommend…” It seems clear to me that this is a transition to another topic. Sorry you got so worked up about it, but the association is not there.

  4. Stacy says:

    I agree with Alex – the better news is about credit card data and that is indeed better news.

    But I agree with you that it should have been signed by the CEO.

    In general I don’t think the email is that bad, but I also don’t have a Zappo’s account, so I’m looking at it from an outsider’s perspective.

  5. Tim says:

    You also have to realize that this is their ENTIRE CUSTOMER DATABASE, not just a subset. If someone got in to the entire database, chances are they got more info than what we are being told.

  6. ashley says:

    Don’t love the e-mail, but I think it’s excellent that they included a “change your password” option in their navigation. I wouldn’t mind a coupon, but I’ll still shop there over other e-commerce sites because they get 99% of the stuff right.

Facebook Conversations