UK Data Commissioner not sold on eBay response to massive data breach.

eBay have been under fire in the last couple of weeks over a major data breach that they have admitted was perpetrated during late February and early March. eBay claim that the severity of the breach only recently came to light and that an earlier investigation had suggested that sensitive data hadn’t been taken. However in a subsequent investigation the forensic investigation team confirmed that in all likely-hood data had actually been stolen.

 

Gary Johnston of Tamite IT who provide IT support to businesses in West Sussex said “From a technical stand point Its possibly not surprising that identifying whether data has or hasn’t been stolen was difficult to ascertain as the data isn’t like a fixed object such as a car, in this case the car was copied and the original is still in the garage, the breach resulted from the fact that the hackers had gained access to eBay employee login credentials”.  Gary Johnston who is an IT security products Director for Tamite IT continued “eBay are cagey as to the type of credential i.e. whether they were related to an employee in the IT Department, the cleaner or the CEO. (in our experience position is not reflected in the care taken when it comes to IT Security) But presumably eBay can see when the credentials were used and what data was accessible as a result of having access to these credentials. While an audit of the stolen credentials activity would be carried out, of course having access to the credentials that had any level of access to the eBay system in the hands of professional hackers would mean that in all likely-hood given time they would be able to penetrate deeper into the system”.

The worrying aspect is that eBay seem to have been prepared to risk customers credentials rather than risk the resultant bad press and take action immediately they realised there was a possibility that they had been compromised.

The email from eBay
The email from eBay

Of course now the press have caught on to the story the eBay seem to be in disarray and are seemingly intent on demonstrating how not to handle the situation from a public relations point of view. The fact is it appears eBay have blown a corporate fuse and have been unable to keep up with events, to a point where it appears that along with common sense and a duty of care to its customers you wonder if the disaster recovery document also went missing in the cyber attack.

eBay appear to have been complacent in many respects with regard to their duty of care to customer data. Only the customers passwords were actually encrypted leaving other data related to the accounts namely the email address, physical address, phone number and date of birth wide open to an attack when encrypting these sensitive details should have been an obvious course of action.

eBay have been keen to point to the fact that Credit Card information does not at this point appear to have been compromised as the information relating to this is held by the eBay subsidiary PayPal on a more secure platform.

We should not be surprised by the delay between the actual perpetration and the identification of the breach as the statistics courtesy of last year’s Verizon Data Breach Investigations Report found that 62% percent of breaches take “months” to discover, while only about third discover the breach within one month. For obvious reasons breaches never discovered or disclosed were absent from the statistics.

From the moment that they were aware they had been breached the assumption should have been that sensitive data had been leaked, a company the size of eBay who don’t forget rank as a major retailer should have clear policies to cover this very eventuality and the disaster recovery plans and processes put in place, one of these would have been a strategy on how to deal with the need to notify affected customers.

This doesn’t seem to have been the case as customers are still receiving emails notifying them of the need to change passwords and apparently last Thursday the website ground to a halt as a result of a stampede of customers trying to update password en-mass as a result of the press breaking the story before eBay had formulated its response.

In the mean time three American states and the US Federal Trade Commission have announced that they will be investigating eBay as a result of the data breach in addition the UK Data Commissioner has intimated that they are likely to launch an investigation in conjunction with the Luxembourg Data Protection Authority. (eBay has its European head quarters in Luxembourg).

MPs have lambasted the American company for the ‘inexcusable delay’ in informing its customers.

Keith Vaz, the chairman of the Commons home affairs select committee, said ‘We have urged companies to take much more seriously the threat of hacking. It is inexcusable that a company as important as eBay has failed to inform its customers immediately that this has occurred. We need a full explanation.

Mr Vaz will be in a long queue as regards to explanations, from eBay’s point of view this is now an exercise in closing stable doors as from the moment the data left eBay’s servers they have no control over where it will end up.

Mr Vaz continued ‘We will be writing to them to ask how this happened and whether this problem has been resolved.’ Presumably using email rather than snail mail, but the how and why seem to be glaringly obvious along with the actions eBay should have been taking all along.

In a statement on their website, the US auction site said it was asking all its users to reset their passwords after an attack ‘compromised a database containing encrypted passwords and other non-financial data’.

The fall-out from this story will be considerable, companies of all sizes should be looking at the implications and how they may be at risk. To put the problem into context records relating to a users identity such as email address, physical addresses etc. and possibly including a set of login credentials will re-sell on Cyber Criminals forums for between a £1.00 for the basic information up to £30.00 for the full monty. One can only guess at the value of the haul from eBay which may have seen as many as 145 million users details lost in a single data breach.

So as the information we store on our clients has real value beyond the obvious commercial benefits to the businesses. We must realise that we have an obligation to our customers and suppliers to safeguard it. A coherent strategy for IT Security and policies to cope with the need to keep confidential data securely are the basis for an over-all strategy that in eBay’s case seems to have gone awry.

West Sussex IT support company Tamite provides IT training, technical assistance, software solutions and strategic guidance to its customers to help make safer, securer environments.

Leave a Reply

Your email address will not be published. Required fields are marked *