Search

Keeping data and customers safe at Zalando
 

May 23, 2023
Technology
Picture of Florence Mottay

Providing a secure experience for customers, partners, and employees is, and has always been, paramount to Zalando. The company’s platform sits on a modern and resilient infrastructure equipped with high quality security tooling that, in 2022, blocked over 19 billion attacks and prevented approximately 500,000 suspicious emails from entering our environment.

Florence Mottay, Chief Information Security Officer at Zalando, explains the measures that Zalando is taking to ensure that customers only need to worry about their fashion choices.

Florence, you have a wide experience in the cybersecurity industry, what are the most common threats that our customers face?
You’d think I'd have experienced most threats over my two decades in the cyber field, but if there is any commonality it’s in the fact that the threats are continually evolving. 

One of the most common issues that our customers face is what we call ‘credential stuffing attacks’: many users use the same credentials (email and password) on different platforms and when one of them is breached, malicious actors use these leaked credentials to gain access to other platforms. There are reports which estimate that 20% of passwords at global level are compromised. This is why it is so important not to reuse the same credentials in different services. Imagine owning multiple homes each with the same lock, which is convenient until the key is stolen! When it comes to reusing credentials, convenience is definitely not worth the risk.

There are of course many more, often better known, security issues that all of us face everyday like phishing attacks (where an attacker sends a fraudulent email or message in an attempt to trick the recipient into providing sensitive information) and the more damaging ones such as ransomware, an attack that encrypts a victim's files and demands payment in exchange for restoring the data.

In our increasingly busy, digital lives, and with the growing sophistication of threats, it’s more important than ever that we all take this seriously and remain diligent.

In 2022, Zalando prevented 19 billion attacks. This is an impressive number, are we talking about credential-stuffing attacks?
Yes, but that’s only a small part. Among others, we also prevent  (1) malware attacks that aim to damage or gain unauthorised access to computer systems (2) denial of service attacks designed to overwhelm a computer system or network with traffic, making it unavailable to users, (3) insider attacks, which is when a person within the company, such as an employee or contractor, intentionally or unintentionally causes harm to the company's systems or data as well as (4) phishing and ransomware attacks that we mentioned before. 
 
19 billion may seem like a lot. However, it is important to understand that, like our immune system, tech companies (or companies with a tech infrastructure) are constantly preventing potential attacks, with different degrees of sophistication. These attacks usually don’t have a specific target (i.e against Zalando) but follow a “spray and pray” approach - that launches a wide range of attacks in all directions in the hopes of hitting a target.

What is Zalando doing to prevent this from happening?
A lot! We combine our infrastructure and tools with a team of information security experts who are continuously evaluating new technologies and implementing them as needed. This is a never-ending race, where attackers only need to succeed once, while we have to thwart all attacks. Threat sophistication is continuously increasing and requires constant adaptation and response. 

Part of this continuous improvement is our recent adhesion to the No More Leaks initiative, a public-private partnership set up between the Dutch police and a large number of companies with many online users. As a result, the Dutch police shares lists with compromised credentials in a “hashed” way we can use to check each login on our website and prevent potential fraud or abuse. "Hashed" means the data is protected under a mathematical calculation, so we and the Dutch police ensure privacy at all times. 

Thanks to this partnership, from now on, if a customer tries to log in or use a leaked pair of credentials to access Zalando, we will warn them so they can change it. 

How about customers? What can they do?
Cybersecurity is here to stay and is everyone's responsibility. We each have a role to play in protecting our personal and professional data and ensuring the safety and security of our communities and critical infrastructures. By working together and taking basic cybersecurity precautions, we can help prevent cyber attacks and minimise their impact. In particular, it is good to remember that individual actions can have a big impact. 

It's often the seemingly small actions, like re-using or choosing a weak password, clicking on a suspicious link, or failing to update our software that can put our systems at risk – and it’s those individual actions that can have a big knock-on impact.

For example, the password howstrong would take less than 2 minutes to crack while it would take a few days for attackers to crack the password H0wStr0!g? Ask yourself, could my password be vulnerable? And if so, update them to keep yourself (and your organisation) safe! Here we provide some tips