Right on the heels of the demonstrated incompetence of IT managers who used an untested beta version of critical security software with the Heartbleed bug, we have another example of IT incompetence: eBay.
On 21 May eBay released an official statement confirming that it has been the victim of a “cyber attack that compromised a database containing encrypted passwords and other non-financial data.” The data that was not encrypted included your name, physical address, e-mail address, phone number, and birthdate. EBay is asking about 145 million users to change their passwords.
This breach occurred between late February and early March, but was not discovered until early May. Reuters reported that the hackers obtained login credentials for some number of eBay employees and thus gained access to the eBay corporate network and to therefore had access to customer’s personal data.
Companies are not keeping up with the cyber criminals and cyber terrorists. It may be impossible to stay ahead of them, but companies like eBay are clearly not monitoring their IT infrastructure to quickly detect inappropriate access.
The chief security officer for Trend Micro, Tom Kellermann, said, “I don’t want to take anything away from the good work of places like eBay, but any site that handles the personal information of hundreds of millions of people has to be working harder to protect that information.” Leaving personal data unencrypted is pure incompetence, and an indication of the lack of concern companies like eBay have for their customers.
It is a shame that incompetence is not a crime, because many of these data breaches that impact millions of people are the result of pure incompetence in the IT departments of huge companies. As far as I can determine, eBay broke no laws nor violated any compliance regulations. I suggest that our lawmakers create federal regulations that financially penalize companies who have breaches that release unprotected personal data, with the fines going to the individuals who have been compromised.
The last word:
What should you do?
- If you have a personal or corporate eBay account, change your password immediately.
- If you use the same password at other sites, change it there also. Once a cyber-criminal gets one of your passwords, he is likely to try that password at other sites.
- Continue to monitor your financial status.
If you haven’t recently, it is time to do a real security audit of your own company. Start with the data that you store about your customers as individuals.
- Do you store any data that might be covered under PCI (financial) or HIPAA (health) compliance requirements?
- Do you use usernames and passwords on your website to provide access, convenience or special opportunities for your customers?
- If you do, then how are you treating that data?
- Is it always encrypted when stored or moved?
- Do you have a formal security policy?
- Do you restrict access to specific personal data based on the role of your employee or contractor?
- Are your employees, contractors and partners trained on the importance of protecting that data?
- How do you identify internal users of your IT systems?
- Are employee and contractor roles updated immediately when they change roles or move on and should no longer have access?
- Do you monitor what data employees and contractors are accessing looking for inappropriate access? Are you looking for access at unusual times?
Keep your sense of humor.