Zola: A Privacy Failure Case Study
Because of the increase in regulation, fines and data breaches, companies need to focus on their data policies and protection much earlier than they have in the past. No longer can founding and management teams ignore data protection or rely on outdated policies that have not been updated in years. In this blog post, we will look at an example of a potential Unicorn company that had a data breach. They thought they were prepared and by all external accounts, they handled the breach effectively. So, why was it such a disaster for them?
The company is Zola, an online wedding registry that raised $140 Million and according to Techcrunch is an up and coming “unicorn”. Zola was founded in 2013. Their mobile app is popular with consumers who want the modern high end wedding experience. Spoiler - one of our employees was a user of the app and loved it. However, her view has changed significantly.
Because Zola is a wedding registry, one of its key features is the ability to have cash gifts deposited into the bride and groom’s bank account directly. As a result, Zola holds the bank account information of a large number of consumers. It also holds a host of other personal information, including the usernames and passwords of its users that are associated with those bank accounts.
Zola was large enough in number of customers and revenue to be subject to the California Consumer Privacy Act (CCPA) in 2022. It was likely subject to breach notification laws in most of the 50 states in the US. It appears that Zola also sells their product in Europe and is subject to the General Data Protection Regulation (GDPR) of the European Union (EU).
In May of 2022, Zola suffered a data breach as a result of a cyber attack. (See, Carly Page and Jack Whittaker, “Hackers compromised some Zola user accounts to buy gift cards”, TechCrunch, May 23, 2022. (https://techcrunch.com/2022/05/23/zola-accounts-hacked/) The actual cause of the breach was found to be the result of a “credential stuffing” attack in which a consumer’s username and password were stolen from another site, and then re-played at the Zola site to see if they would work.
Zola’s first and possibly most important failure was its inability to prevent this attack. If Zola had implemented 2 factor authentication, this attack would not have been possible. Unfortunately, once accessed, each account contained bank account direct access information, which was used to withdraw money from users’ bank accounts indirectly by generating gift cards. This is an important lesson. Zola was a 9 year old company that for whatever reason, did not implement 2 factor authentication. We do not know why this security feature was not prioritized given the sensitive nature of the bank account information stored in user accounts. Had Zola performed a privacy impact assessment, we hope that this would have been flagged.
Zola responded rapidly to the breach. They notified users within 24 hrs that there was suspicious activity on the account and the account had been shut down and the password needed to be reset. Unfortunately, users were already finding that money was missing from their bank accounts and were discussing this and complaining on the Zola website . In addition, it appears that Zola did not actually sign users out of their accounts before locking them, so that even with password changes (or username changes), hackers already in the accounts could continue to access them. This suggests a second failure on Zola’s part. They were not really prepared or “practiced” in handling this type of attack. They took steps but failed to complete the loop and force all older logins to be signed out of the accounts.
They then notified users within 48 hrs of the initial notice that they had a suspected data breach incident. They warned users of possible bank account activity and asked them to contact Zola customer support. Unfortunately, customer support was available only by email and it was the general customer support email. This required two additional steps before the consumer could talk to Zola about the money that was disappearing from their account. First, Zola needed to reply to the email and then secondly, they needed to forward the customer to the people at Zola who were dedicated to handling this issue. Imagine how consumers felt when they had only an email address and they were watching the money disappear from their bank accounts.
Did Zola do anything wrong in their breach response? Legally - no. In fact, it appears from their response times that they were prepared and had some processes in place for breach notification. They were transparent about what was happening and took immediate action to suspend access (with the notable exception discussed above). They were honest about the possible risks to consumers. However, their third, and equally critical failure, was to fail to understand the expectations of their consumers for a “concierge-like” response. For consumers who signed up for a wedding registry to manage the gifts from their wedding, an email address was not considered to be adequate customer service. The comments of disgruntled customers exhibited this frustration.
After consumers, such as our employee, became aware of the breach, and after the immediate issues were resolved, the next step was to assert their consumer rights. In our employee’s case, she started by emailing the customer support account and requesting to have her account deleted. This is a right available to consumers under both the CCPA and GDPR. She was directed by customer support to a link to a CCPA-complaint form to supply the information needed to verify her deletion request. She completed and returned the form. She received a response telling her that her account had been deleted. She then asked for verification that her bank account information had also been deleted. She was surprised to learn that the answer no. That would require a different form to be completed. She was given a link to a GDPR compliant form to supply the information to request deletion of all of her personal information. This highlights a third failure on the part of Zola. If a person asks for their account to be deleted, they should not separately have to ask for verification that their personal information was also deleted that was in the account. More importantly, Zola should have documented policies for data retention after the deletion of an account, though it would not be unusual for a company to retain information for a short time after account deletion.
After nearly 45 days, our employee received another email telling her that Zola would need additional time to delete her bank account information, up to another 45 days. Is this legal? Yes. But, it highlights the possibility that Zola has shared that information with one or more third parties, for example, for payment processing or hosting. They would have needed to ask those third parties to delete the information from their accounts as well. Knowing that bank account information has been compromised, 90 days to ensure that the information is deleted seems like a very long time.
The fourth and final mistake of Zola can best be summarized as lack of preparation for scale. Zola is a company that raised $140 Million in order to scale out its business. According to their website they have 2 million couples as customers. All of the 2 million customers could call or email or complete a form to delete their data regardless of whether they were affected directly. While Zola appears to have been legally prepared to handle the email support requests and account deletion requests of their customers, they may not have been practically prepared to handle them in a reasonable amount of time at scale.
Bottom Line
Even though Zola had privacy policies in place for both the US and the EU, they didn’t fully implement the practices that would actually assure privacy. They failed to implement the necessary security features in their product. They did not respond to the breach properly by shutting everyone out of accounts - including the hackers. They suffered a backlash because their handling of the breach was not fast enough or responsive enough to meet their customers’ expectations. Finally, they were not prepared to handle a breach of such size and scale. These “small” mistakes add up to a big reputational hit for Zola.
Zola’s experience is a good reminder for early stage companies that they will be held accountable for their privacy promises and their brand promises and must be adequately prepared from both a legal and business perspective.