Zappos Sticks to Its Values in Communicating Customer Database Breach

Posted on January 19th 2012

Zappos Sticks to Its Values in Communicating Customer Database Breach

Zappos is a social media darling. The company’s adoption of Twitter, its encouragement of employees to engage online openly during work and CEO Tony Hsieh’s commitment to social channels are all trotted out regularly in articles, books and talks. I’m as gung-ho on Zappos’ use of social media as anybody.

One test remained, however. All of Zappos’ social activities have so far been employed in pursuit of brand building and reputation by linking those activities to the company’s customer service-focused values. But how would the company do when faced with something negative, bad publicity if not an outright crisis?

By midday today, it’s clear that the company is sticking to its values even when dealing with bad news.

A cyberattack on Zappos’ servers allowed hackers to access 24 million customer names, email addresses, billing and shipping addresses, phone numbers, the last four digits of their credit card numbers and their encrypted passwords. Zappos isn’t the first company plagued by such attacks. Sony’s Playstation unit is just one example, but a particularly notable one given the company’s jaw-droppingly awful efforts to inform customers of the breach, then keep them updated.

Zappos, on the other hand, was forthcoming and transparent. The attack occurred Sunday, January 15. Hsieh sent an email to employees that day alerting them to the attack and sharing with them the email that would be sent to customers. That email to employees was posted to a public Zappos site. The customer email included a link to a page that provides instructions on how to reset your password. (Zappos expired and reset passwords before sending out the email.) The company also set up an email address for customers with additional questons—securityquestions@zappos.com—and included it on the password change page.

Zappos Security Email Page

Both pages were up on Sunday, the day of the attack.

Hsieh’s publicly-disclosed message to employees was also an example of striking the right tone in a social world. “We’ve spent over 12 years building our reputation, brand, and trust with our customers,” he wrote. “It’s painful to see us take so many steps back due to a single incident.” And the public had full view of Hsieh’s instructions for “all employees at our headquarters, regardless of department, to help with assisting customers.”

Zappos shut down its phone system, opting to handle all inquiries during the early stages of the crisis by email. “If 5% of our customers call,” he said, “that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.” Again, this information wasn’t hidden inside the company’s firewall, but disclosed on the “Security Email” page of its website.

The company linked to the Security Email page from its Twitter account and its Facebook wall, where comments of distress got responses from the company, right alongside comments of support like “I love zappos! Their service is excellent, I’m sure they’ll take care of the issue and hopefully we can go back to normal soon. I hate stupid hackers.”

According to a post by Chris Eng, Zappos has also “been actively engaging customers on their @Zappos_Service Twitter account.”

The only thing I might have added to this quickly-adopted communication strategy is a notice on the home page and a reference on at least one of Zappos’ blogs (Hsieh’s blog hasn’t been updated since December 20).

But these are just nits. The result of Zappos’ nimble addressing of the issue is media coverage that mostly reports on the company’s public response rather than the severity of the breach.

According to the free social media monitoring service SocialMention, Zappos is being referenced every 14 seconds, and positive sentiment is running 8:1.  Even if you account for the unreliability of sentiment engines (which has a tough time with sarcasm and cynicism), that’s a strikingly positive outcome given the circumstances. (Most of the mentions are neutral as people share links to articles and other resources.) And Zappos is engaging with those who take to social media, as in this example:

Tweet about Zappos

The loss of confidential customer data is never good. Certainly questions will arise about the security of such data in the wake of the attack. I suspect Zappos, based on their record, will be upfront about this, too. What’s important to remember in this case, though, is that the public is risk-averse. Zappos’ response was about as good as it could be under the circumstances in addressing the risk. That’ll go a long way toward restoring customer confidence in the organization.

ShelHoltz

Shel Holtz

See Full Profile >