Zappos leader takes time to encourage tech startups amid woes

The exhausted Zappos CEO has been doing damage control since Sunday, when he revealed that his Henderson-based company’s server in Kentucky had been hacked, compromising some 24 million customer accounts.

Yet Hsieh still made it to LaunchUp, a meeting for tech startups that Zappos helps sponsor, and gave a pep talk to a crowd of aspiring entrepreneurs. Beforehand, he told the Review-Journal the FBI is investigating the case, which limits what he could say.

But even as federal authorities look into the security breach, Zappos headquarters is starting to return to normal, he said, with customer service representatives expected to start answering the telephones again today.

"We’re all working really hard," Hsieh said. "We feel like we’ve made enough progress that we’ll be able to open the phones back up on Friday."

The company turned its phones off Monday and assigned all employees to answer customer emails about the security breach.

"We’ve never had to shut the phones down this long," Hsieh said.

How much damage was done by the hackers remains to be seen.

Hsieh said Zappos won’t comment on revenues until its parent company, Amazon, releases its quarterly numbers. However, only about 4 percent of Zappos orders are placed over the telephone, rather than through its website, he said.

Jason Maloni, senior vice president of Washington D.C.-based Levick Strategic Communications, said Zappos’ reputation probably will bounce back within a few weeks, barring further developments about the breach.

Maloni, who specializes in data security and privacy issues, has seen it before. He represented Heartland Payment Systems during a 2009 security breach that compromised 130 million credit card numbers. During that crisis, Heartland left its phones on and personally called each of the affected merchants. The move reassured customers, who were happy to hear a human voice.

Zappos, Maloni said, should have done the same.

"I can understand why they’d want to channel inquiries to email, but to take the phone off the hook seemed inconsistent with the kind of company I know Zappos to be," said Maloni, who is also a Zappos customer.

This is the $1 billion online shoe retailer’s first security breach, and authorities in Nevada were less willing to fault the young company’s approach.

Data forensics expert Ira Victor, a director at Reno-based Data Clone Labs who has advised the Nevada Legislature on cybercrime laws, said the breach at Zappos did not fit state requirements for public disclosure.

"They could have swept this under the rug as many companies do," Victor said.

The publicity surrounding the hacking took another twist Wednesday with news of a class-action lawsuit filed against Amazon over the breach. Hsieh declined comment on the lawsuit.

The lawsuit, filed Monday on behalf of plaintiff Theresa D. Stevens of Beaumont, Texas, in U.S. District Court in Louisville, Ky., seeks millions of dollars in damages and credit monitoring and identity theft insurance for affected customers.

Hsieh has said customer credit card and other payment information is stored in a separate database that was not breached. Information such as names, billing addresses, encrypted passwords and the last four digits of credit card numbers was compromised, however.

The class-action lawsuit will have no immediate effect on the company’s brand, Maloni said. Litigation is a long, drawn-out process, and its ramifications aren’t realized for months, sometimes years.

And Zappos is known for its customer service and has had no prior incidents. That will go a long way toward helping the company recover and move beyond this crisis, Maloni said.

"Zappos has going for it a tremendous number of deposits in the good-will piggy bank," Maloni said. "People love Zappos. Not everybody has that name recognition and trust factor going for (them)."

For Zappos customers wondering how to protect themselves from identity theft and credit card fraud, the company recommends changing all website passwords.

Victor said 82 percent of consumers use the same password or a slight variation on all sites, from Facebook to banking sites. That could cause a problem if a hacker is able to decrypt the passwords stolen from Zappos.

In a Oquendo Center auditorium near McCarran International Airport packed with LaunchUp entrepreneurs Wednesday night, it was inevitable that Hsieh’s Q&A session would include a question about the security breach. It came in the form of a request for advice: What tips does Hsieh have for start-ups that may face the crisis?

"I don’t have great advice for start-ups," Hsieh told the crowd. "If you’re not high-profile, you’re less of a target. Any time you’re dealing with customer information and credit card numbers, that is a huge, huge, scary responsibility."

The young entrepreneur, whose book "Delivering Happiness" chronicled his work in making Zappos both profitable and a Fortune best places to work, said the nearly 2,000 Zappos employees have banded together to help the company through a difficult week, creating more of a start-up atmosphere.

"Everyone’s really been taking this, ‘we’re all in this together’ attitude," Hsieh said.

"In a weird way, it’s made our culture stronger. Everyone’s working toward the same purpose and doing the same thing. That’s been a silver lining in all this."

Contact reporter Caitlin McGarry at cmcgarry@review journal.com or 702-387-5273.