eBay’s cyber-attack represents a significant breach
The cyber-attack on eBay is a serious breach for the e-commerce giant and its customers says the Institution of Engineering and Technology (IET).
Dr Martyn Thomas from the IET said: “This is a really serious breach for eBay and its users. In the time since the theft of the password file, the encryption may well have been broken, exposing the passwords and personal details that the file contained.
“It is also a serious breach for eBay's users, some of whom may have been put at risk by the delay between when eBay discovered the breach and when they notified users. Any eBay user who uses their eBay password on other sites should change these passwords immediately to new, unique and strong passwords.
“eBay's business model depends on trust, through their pioneering work on feedback scores. If accounts are taken over by rogue traders over, they could impersonate users who have high feedback ratings, undermining and potentially destroying the trust on which eBay's business has been built. This should be a further wake-up call for all company directors and Audit Committees to treat cyber security as an existential threat to their organisations.”
Hugh Boyes from the IET said: “As an occasional eBay user, I am concerned that not only have they lost my email, username and password, but according to their website the loss includes home address, phone number and date of birth. This is serious from an identity theft perspective. The only item they are missing is mother's maiden name and they have sufficient information to impersonate an individual when dealing with many financial organisations.
“The Information Commissioner makes the point that organisations should keep the minimum information necessary so why do eBay need to hold/store dates of birth and addresses? The only time an address is required is when a sale completes and you want the seller to ship an item to a purchaser - this could be treated as transaction level information and not associated with the customer/user records.
“I also think that rather than delaying the announcement of the need for a password change, eBay should have forced a change of all user passwords, i.e. cancel/disable current passwords and force a user to set a new password next time they try to login. This would prevent account takeovers as were being reported on the radio last night.”