And so, another domino falls. This week it was eBay’s turn to announce it had been the victim of a massive data breach. As befits such a revelation from what is, at present, the 23rd-most-visited website in the world, the news has been accorded headline status across the globe. And, as was the case with the Stratfor hack a few years ago, this one hits home.
I’ve been an eBay customer for over a decade. The site has helped me track down some rare records I might never have found otherwise, and my dealings with other users have been friendly, successful and straightforward. And while I don’t use it as much as I once did, it’s still good to know it’s there, as we all like to have options. All that, though, has now come to an end.
The details released so far are embarrassing for eBay, but – according to most of the media reports about the hack, which have kept close to the company’s own line – probably not too worrying for site users. Hackers appear to have gained access to a database containing records of some 145 million customers. The breach happened some time in February but was not detected until early May. In a statement on its corporate website, eBay said hackers had “compromised a small number of employee log-in credentials,” implying – though not explicitly confirming – that the attack relied on social engineering of employees with extensive database access.
As it tries to limit the damage, eBay is about to embark on a sizable publicity blitz, involving a doubtless expensive global ad campaign as well as direct emails that will roll out following its announcement to the press, to tell its users to change their passwords. We are told that, at some point soon, users logging in to the site will be forced to change their passwords, so some re-engineering of the entire global eBay platform is presumably underway. The share price has fallen, though not as yet by too much; costs will surely rise in the weeks ahead.
So far, this is the story as it’s played out in other media, and the picture painted is far from pretty for the internet giant (eBay, founded 19 years ago, has over 33,000 employees worldwide and turned over more than $16 billion in 2013). But it gets messier – and far more scary – the closer you look.
First up, the response to the breach, from a customer perspective, is lamentable. At the time of writing – around 9am on May 22, around 18 hours after the breach was announced but well over two weeks since eBay admits it knew about it – there is still no information about the hack, or the need to change passwords, on the ebay.co.uk home page. There is a notification on ebay.com, but it appears only as one of five rotating banner ads at the top of the page, and isn’t there every time you visit the site. No email from eBay has arrived, despite – presumably – customer account information still being held by eBay (there is no suggestion that hackers destroyed eBay’s copies of the data, so it is unclear why customers have not been alerted directly).
The message this sends out is that eBay rates its customers’ right to access details of the breach and to receive timely information about it as being of considerably less importance than advising them of its “Memorial Day deals” or the 50% off available on some tech items. As a customer whose data have been stolen, the fact that I’m hearing about this from the BBC, the Guardian and Reuters, but not as yet from eBay, is some way short of encouraging.
But let’s be charitable and allow eBay a bit of time to alert their customers, and perhaps accept that going to the media first maybe makes a degree of sense. Quite quickly, the message has got through: unless an eBay user never looks at news sites online, doesn’t listen to the radio, read newspapers or watch TV, chances are they will be aware of this by now – and maybe that’s quicker and more reliable than a direct email, because we ought to be used to treating a “We’ve been hacked! Change your password now!” email with some degree of scepticism. Let’s further assume that the majority of customers will by now have found their way to the posting on the corporate blog that stands at present as the company’s view on the matter, and represents their full and frank advice to customers. Yet even if we cut the company this amount of slack, the response still falls a long way short of acceptable.
The opening of this online statement is all about the password reset, why it’s necessary, and contains an apology to customers that they’re going to have to go through the rigmarole involved. It seeks to reassure us that our password has been stored securely, and, while it has been stolen, it is not in a readable form. “Calm down,” we are told: “everything’s going to be OK. We’re sorry, but the chances of anything bad happening are pretty low.” Paragraph four, however, says something entirely different. “The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth,” it reads.
Excuse me? So you only encrypted the password? This means that all 145 million eBay customers are now at heightened risk of identity theft, and will need to be particularly diligent in coming weeks and months about any and every unsolicited incoming email or telephone call. To any social engineer worthy of the name, making malicious use of so extensive a set of information ought to be like shooting fish in a barrel.
As someone stung into action some time ago by another data breach at a much smaller online entity, I’ve already made sure that I use different, strong passwords at every site: of all the data eBay holds on me, the one bit I’m really not too bothered to have falling into the hands of criminals is the password – there’s nothing they can do with it which will harm me. Because my Paypal account uses a different email address as well as a different strong password, stealing my money isn’t going to be quite so straightforward: I’m optimistic those in possession of the eBay database will choose to target some of the other 144.9million account-holders in search of lower-hanging fruit. I’m presently also congratulating myself for my sloth – the postal address and phone number eBay holds for me is two house-moves out of date, but only because I never got round to updating it. This ought to make it that bit less likely that I’ll suffer through eBay-related identity theft, but not through any prescience on my part – and certainly not through eBay’s efforts to secure the information I provided to the company.
My date of birth hasn’t changed, though – and given how often one has to use that metric to obtain and access financial services, that’s a major headache. So while I’m personally relieved by my relatively limited exposure to risk, I’m acutely aware that most of those limits are the result of my own actions, not eBay’s: and if I’m doing a better job at keeping myself safe from online fraud than a multinational company with a multi-billion-dollar turnover, then something is desperately, sickeningly wrong.
How can a household-name company that interacts with its customers entirely through computer systems get away with storing its customer data in so insecure a way, and then claim – as eBay does, in its statement – that “Information security and customer data protection are of paramount importance” to it? This is clearly a fiction: if those things were of any importance at all, the data would have been stored securely, encrypted strongly, and staff given better training on how to avoid giving global customer database logon details to criminals. That eBay has failed to do any of these things adequately is bad enough: that they choose to try to hide just how bad a mess this is by stressing the stable-door/bolted-horse password-change measure suggests that they hold their customers in contempt.
There is, of course, only one logical response. It’s a shame, but I’ve not really got any alternative. I’ve closed my eBay account (or, at least, I’ve begun that process: it’s going to take eBay two weeks, apparently, to do this). I closed my Stratfor account because they kept my data in unencrypted form on insecure servers, so I’m just being a hypocrite if I don’t apply the same standards to other online businesses I deal with. If these companies won’t protect my data, I’ll have to do it myself – and if I don’t act, I’m just making the whole problem worse, by being a passive enabler of bad security.
So from hereon in, I’ll be looking for old records over at Discogs.com – it’s proved a happy hunting ground in the past, and they don’t require you to give them anywhere near as much personal data. Maybe if a few other people follow suit, and vote with their feet – take their business away from companies who have proved incapable of practicing acceptable levels of security and instead become customers of alternative vendors – some of these internet multinationals might start to realise that the savings they make by doing security on the cheap may not turn out to have been the shrewdest bit of business they ever conducted. It is difficult to predict how this situation will pan out, but the one thing I’m sure of is that if we don’t, as customers, put all the pressure we can on companies to do better with data security, we are merely shortening the time before we become victims not just of data theft, but of full-on, real-world, money-taken-from-us fraud.