Shoe and clothing retailer Zappos reported that 24 million customers' personal information may have been snagged by hackers. The incident is the latest to highlight the risk of large-scale data security breaches.

As a further complicating twist to the Zappos hack, the firm is owned by Amazon.com, a major cloud services provider. It is not yet clear whether Amazon was hosting the hacked database. But any link between Amazon and a hacking episode could be a potential setback to cloud adoption.

Bad News, Good News

As reported at Slate, word of the hack came via an email from Zappos CEO Tony Hsieh to the firm's employees and by a post on the company blog.

The message acknowledged that hackers gained access to 24 million customers' information. Compromised data possibly included names and email addresses, addresses (billing and shipping), phone numbers, and scrambled (but not "in the clear") passwords. Also exposed were the last four digits of credit card numbers, the digits commonly shown on receipts.

That was the bad news. The good news, which the message put in all-caps, is that complete credit card numbers and other payment information were kept in a separate database, which was not compromised.

This good news is anything but trivial. It is more or less the difference between a serious security breach and a disastrous one. Zappos also appeared to move quickly to contain the damage, automatically resetting passwords and contacting customers with directions on how to set up new passwords.

Also, anticipating a flood of phone calls, the company disabled customer phone lines and set employees to responding to queries by email.

A Teachable Moment

For small and midsize businesses (SMBs) that maintain customer information databases, this is just the sort of issue that keeps IT managers awake at night. Customers are spooked and the company gets a dose of highly unwelcome publicity. "It could have been worse" is still fairly cold comfort.

On the other hand, it could have been much worse, and keeping full credit card account numbers in a separate database turned out to be a very good move.

Information about the hack itself has not yet come out. When it does, we will learn more specific lessons about security threats and the best practices for minimizing those threats. Some of these lessons will be applicable to customer-facing IT operations; others will be more specific to database security. And whatever the connection of Zappos' customer databases to Amazon cloud services, both cloud vendors and prospective cloud customers will have further lessons to absorb.

Hackers are out there. If they target your organization, how well protected are your data operations?