Peter A Clarke

The internet interface with an organisations data, within an organisation or in the cloud, is always a potential target for hackers.  For those whose business is largely or exclusively on line and who hold significant amounts of personal information of customers the impact of a data breach in the form of a hacking attack the consequences can be immense. Reputationally and financially.  Ebay suffered damage to at least the former and probably the latter.  The unauthorised access to customer’s data occurred in the late February early March period.  Around 3 months ago.  There will be questions about the delay in notifying its clients of this breach.  In the USA there is no mandatory Federal data breach notification laws, although most states have such laws in place.  In Australia there is no mandatory data breach notification laws although there should be.  In the last sitting week of the last Parliament such a Bill came very close to being read a second time in the Senate and passed however the bill lapsed when Parliament was prorogued.

In the context of Australian Privacy Law a significant hacking attack does not, of itself, result in a breach of the Australian Privacy Principles.  That is clear from the guidelines.  That said if  a large operation which stores considerable amount of personal data fails to maintain up to date and sufficiently sophisticated internet security architecture then the potential for action by the Privacy Commissioner can be significant. What an organisation does to manage the breach, determine the extent of the data interference and remedy any deficiency in the security system becomes very important.  That is where the quality and the effectiveness of the training, protocols, guidelines and procedures an organisation should have become important.  And those matters are required under the Australian Privacy Principles.  The question then becomes what the Privacy Commissioner does if the standards, training, guidelines, policies and programs are of an inadequate standard.

Ebay’s statements  (found here and here) provides:

eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.

Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.

The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.

Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.

and

Later today, eBay Inc. will be asking all eBay users to change their passwords due to a cyber attack that compromised an eBay database containing encrypted eBay passwords and other non-financial information. eBay will notify its user base directly within the next 24 hours with more details. 

 Extensive forensic research has shown no evidence of unauthorized access or compromise to personal or financial information for PayPal customers.  PayPal customer and financial data is encrypted and stored separately, and PayPal never shares financial information with merchants, including eBay.

 In addition to asking users to reset passwords, eBay Inc. said it will also encourage any eBay user who used the same password on other sites to change those, too.

 The World Today covers the story in Identity theft concerns raised after eBay hacking revealed which provides:

ELEANOR HALL: Internet retailing giant eBay is admitting today that the hacking of its computer systems three months ago could affect all 145 million users of the auction website.

The company has defended the time it has taken to discover the unauthorized access to its network, and the two week delay in letting its users know that their private information was stolen.

Internet security analysts say they now expect a rise in the number of secondary attacks, as hackers attempt to exploit other sites.

Will Ockenden reports.

WILL OCKENDEN: The numbers behind one of the world’s biggest e-commerce sites, eBay, are staggering.

Last year the company saw more than $US205 billion worth of goods bought and sold via its website, by around 145 million active users.

eBay has admitted that many of the personal details, including names, emails, addresses and phone numbers of those millions of users, have been lost.

STILGHERRIAN: I think eBay really needs to have been a bit faster off the mark telling people that they had a problem.

WILL OCKENDEN: Stilgherrian is a freelance internet security commentator.

STILGHERRIAN: It’s been around two weeks since they definitely knew that the database had been potentially compromised.

WILL OCKENDEN: Users reacted angrily when told how much of their personal information has been lost.

Tayla uses eBay occasionally.

TAYLA: Maybe once a month, when I want to shop.

WILL OCKENDEN: eBay says no financial information like credit cards were lost in the attack, and has urged customers to change their password.

The company also owns payment provider PayPal, which is often linked to a user’s eBay account.

TAYLA: Yeah, I use the same password for everything. I shouldn’t say that but (laughs)…

WILL OCKENDEN: I don’t think you’re alone.

TAYLA: Yeah, so my credit card, my debit cards, everything is connected to my PayPal, PayPal is connected to eBay.

WILL OCKENDEN: So you better change both.

TAYLA: Yeah, yeah, far out. God damn it eBay.

WILL OCKENDEN: She says it’s going to be a hassle.

TAYLA: Now I have to go through the mission of changing it all and making sure everything is secure and safe.

WILL OCKENDEN: That’s easier said than done.

While changing a password is easy, changing your email, telephone number or physical address isn’t.

No one would seriously entertain changing their name in response to an internet security breach, and changing your date of birth is impossible.

Stilgherrian says the reason why such a huge loss of personal information is so serious is because it’s those private details which other services, like banks or phone companies, rely on for authentication over the phone.

STILGHERRIAN: The database itself has people’s names, addresses, phone numbers, email addresses and dates of birth. That’s a big chunk of the information you need to start stealing an identity.

(Sound of phone ringing)

WILL OCKENDEN: I rang my own phone company to see what I could do using the type of information eBay says was stolen from its user database.

TELEPHONE OPERATOR: Oh, I’m going to check it for you. I just need some details, is it fine?

WILL OCKENDEN: Yup.

TELEPHONE OPERATOR: Okay, I’m going to pull up your account using this number and who am I speaking with now? What is your name?

WILL OCKENDEN: After I gave my phone number and full name, the next question was…

TELEPHONE OPERATOR: How about your date of birth?

WILL OCKENDEN: And that’s enough.

TELEPHONE OPERATOR: Okay, the last time you recharged this number was on the…

WILL OCKENDEN: For identity theft, getting access to someone’s phone is a big step to accessing other parts of their life.

Many banks for example now send single-use authentication numbers via SMS for use when logging in or transferring money.

Copies of phone bills are often accepted as part of proving identity and it’s not hard to change the addresses with the type of information eBay lost.

(Question to telephone operator) Would I be able to change my address?

TELEPHONE OPERATOR: Okay, just your residential address?

WILL OCKENDEN: Yup.

TELEPHONE OPERATOR: Okay, what is your previous address?

WILL OCKENDEN: eBays says a user’s physical address was also stolen during the hack.

This isn’t saying there’s a problem with the phone company’s processes, rather it shows how easy it is to impersonate someone with their basic information.

Stilgherrian says there’ll likely be problems on other systems, as attackers use the information gathered in the eBay hack to break into other websites.

STILGHERRIAN: We can expect this database to go into the big pool of information that’s available to the criminal undergrounds.

WILL OCKENDEN: eBay declined an interview request with The World Today, but provided a link to a list of frequently asked questions.

It says the company has been working with security experts and law enforcement to investigate the matter.

ELEANOR HALL: Will Ockenden reporting.