Zappos vs. UFC: Who Exactly Are You Trying to Satisfy?



Brian Cantor
01/25/2012

In the fallout of a crisis, a fundamental customer management question becomes even more significant: who exactly are you trying to satisfy?

In recent weeks, customer experience kingpin Zappos and rising mixed martial arts powerhouse UFC were victims of web hacking attacks. Both, in the wake of the security breaches, needed to frame the issue for all potentially affected and thus needed to ask themselves, "who exactly are we trying to satisfy?"

If one were a betting man, he would undoubtedly guess that of the two, Zappos answered the question more accurately and issued the more compelling, worthwhile "response" to customers. Spoiler alert: he would be right!

But this story has a third act twist; as it turns out, even the brand synonymous with customer-centricity can make mistakes. And while Zappos was far nearer to the mark than UFC, both came up short due to a common error: a failure to completely consider the question, "who exactly are you trying to satisfy?"

On January 15, Zappos sent an email to customers announcing that because there "may have been illegal and unauthorized access" to some of their account information, it was resetting all user passwords. The breach would not have granted access to personal information like full credit card numbers and payment information, but it could have provided the hacker with names, e-mail addresses, mailing addresses, phone numbers, the last four digits of credit card numbers and "cryptographically scrambled" user passwords.

[eventPDF]

It also recommended customers reset their login credentials for any web account that used the same (or a similar) password.

As has become habit for Zappos in these situations, it also posted an internal memo from CEO Tony Hsieh, which alerted employees to the breach and advised them about the upcoming fallout. It, in particular, highlighted the positive of the situation: the most private customer data, including full credit card numbers, was untouched. Posting these memos comes across as gloriously transparent and is an absolutely brilliant customer management strategy.

Even before reading the messages from Zappos, the instinct for many customers and analysts was to applaud the effort. After all, by coming forward with the issue on its own, the company risked alarming customers—and damaging its glowing reputation—to spotlight what likely amounts to a very minor situation. It is only slightly jaded to wonder whether every other company would do the same, and it is now even harder to argue that Zappos cares about its customers.

And yet, despite very much taking a risk by making customers aware of the security breach, Zappos simultaneously tried to minimize its risk in a manner that was not especially customer-centric. Though helpful to a degree, the original email message also contained some ambiguous, even contradictory language that dampened customer understanding of the security breach. As a result, customers were somewhat handicapped in their ability to assess Zappos’ warning.

Notable was Zappos’ comment that the passwords potentially obtained by the hacker(s) were "cryptographically scrambled" (and not users’ actual passwords). While Zappos would ultimately disclose the basics of its cryptography mechanism at the urging of customers four days later, the initial comment produced unwelcome confusion with no customer experience benefit.

Zappos presumably acknowledged the "scrambled" nature of the passwords with self-interest in mind; it likely wanted to show that it had taken pre-emptive means to secure user information so that its databases were not sitting ducks for hackers. But, unless Zappos used a cryptography that was literally impossible to crack (and, if it did, why not say so?), its acknowledgement of the scrambling risks misleading customers to believe the intruders could not, in fact, have conceivably gained access to the personal information.

As a result, it undermines the gravity of the "make sure you are not using your Zappos password on any other website" directive. In the customer’s mind: sure, it probably makes sense to err on the side of absolute caution and change all of my passwords, but if the hacker did not actually gain access to my password, why put myself through the nuisance of creating—and having to remember—a brand new login?

True, Zappos should not be expected to babysit customers and assure they act pragmatically (if it says change the password, do not look for escape clauses--just change the password!), but why do anything to muddle the message (why give them the potential escape clauses)? Unless the company can say to a certainty that the actual passwords cannot be decrypted, and it seems like Zappos could not (or at least would not), it wants the customers to behave as if their actual passwords were compromised. Showing evidence that precautions were taken to protect customer data, in this scenario, is needlessly confusing and self-protective (after all, the databaseswere accessed, so security was not perfect).

The initial email also omitted some details of importance to those trying to properly assess the issue. It did not provide any sort of ballpark as to how many accounts were actually compromised (in fact, based on the wording of the email, it is possible none were accessed*). It did not reveal when the breach occurred or for how long the intruder was inside the database (information that would reveal the probability that customers’ other web accounts with similar passwords have already been infiltrated).

In later correspondence, Zappos would claim its ambiguous disclosure was necessary in order to preserve the integrity of the ongoing FBI investigation. While that might be true to an extent, all it really means is that Zappos should have communicated in far bolder certainties—rather than wishy-washy generalities—when advising customers of the situation. Questions like "what kind of cryptography do you use" or "how long was the hacker in your system before being booted" would not matter as much if customers were told, without the use of self-protective words like "may," "potential" and "some," that its database was breached and customers must reset that particular password on Zappos.com and any other website.

As a further note, while the email gives customers a general warning about phishing attempts, it does not advise them of the very real possibility that the data obtained (again, assuming data was obtained…we don’t really know) could be sold to spammers. No, such a revelation would not portray Zappos in any sort of positive light, but it is a reality undoubtedly of interest to the affected customers.

Here, it seems Zappos wanted to claim the customer experience reward of "being forthcoming with customers" (and thus minimize any reputational fallout) without thinking about whether it could chew all that it bit. Its communication was not driven by a correct understanding of the "who exactly are you trying to satisfy" mantra—it was not driven entirely by what is best for the customer.

Of course, given UFC’s handling of its recent hacking situation, it is hard to look too negatively upon Zappos.

On Sunday, January 22, following confirmation that UFC was one of the major content providers backing the controversial Stop Online Piracy Act (SOPA), hackers redirected the company’s official UFC.com website to the homepage of UGNazi, a hacking group that has targeted SOPA supporters. The group also apparently took over one of the Twitter accounts for UFC’s "The Ultimate Fighter" reality show.

UFC initially provided no formal statement regarding the hacking. In fact, when asked about the situation on Twitter, UFC President Dana White was bluntly dismissive of the situation.

Among his responses to users, which came while White was focused on the AFC and NFC Championship games: "Don’t give a shit"… "Why would I care? Why is that a big deal? Who gives a shit lol" … "I’m in the fight biz not the website biz" … "I’m not fucking e bay. My website being down doesn’t mean shit. I’m watching FOOTBALL today" … "E bay would be pissed!! I’m watching to c who plays the Pats" … "Football day jackass! @Patriots Superbowl!!! I’m not Google lol" … "Dude STFU I could care less. Tweet someone who cares I have made it clear I don’t."

While responsibility for the website very likely does not fall on the company president and was thus not necessarily a paramount concern for White per se, it is highly unlikely that he was truly so ambivalent to the situation and his company’s web presence. Realistically, the White approach was probably more along the lines of wanting to downplay the significance of hacking the UFC website as a protest against the company (ie, we’re not eBay and run our core business offline, so hacking us, particularly to send a message, will carry minimal impact).

But, as a number of Twitter users noted, even if hacking the UFC website is meaningless in the grand scheme of the business (and that fact, as it is, is very debatable), it can have enormous ramifications for the customers who submitted private data to UFC when they purchased merchandise, fan club memberships or online pay-per-views. These users had every reason to seek reassurance that their data was protected, and they were not getting the answer for which they were looking. That, no matter what attitude one feels he needs to project to the hackers, is a dangerous customer management strategy.

True, @JoshtheGod, on behalf of UGNazi, eventually confirmed that the group has no interest in stealing user data, but customers should rely on the victimized corporation—not the hacker—for such reassurance.

Two days later, UFC finally issued a statement, noting, "there is no evidence suggesting that any confidential information belonging to the company or its customers was compromised by the re-direction of the website."

That language—"no evidence suggesting"—is hardly reassuring, but even if that indeed represents all UFC is able to safely confirm, it still should have advised all UFC.com database members immediately. It certainly should not have allowed the face of the company to downplay the concern as irrelevant.

Cybercrime is a highly unwelcome plague for customer-facing businesses, who unfortunately have to accept responsibility and suffer reputational damage for the actions of others. But for as long as it remains a reality, businesses have no choice but to accept the risks of handling it in the manner desired by customers. They have no choice but to develop a response strategy that most appropriately answers, "who exactly are you trying to satisfy?"

*Note: There seems to be some confusion about this issue. In the email to employees, Hsieh says that the company will be notifying the "24+million customers in our database." Some have reported this as confirmation that 24 million accounts were compromised, but the more appropriate interpretation seems to be that there are simply a total of 24 million accounts, some of which were potentially-compromised. Either way, none of this was in the email to customers.

RECOMMENDED