eBay breach shows just how poorly companies understand security

Companies should do everything in their power to prevent data breaches. They should hope and pray that customers’ info will never be touched. But that doesn’t mean they can get by without a plan of what to do in case a data breach happens. 

eBay recently revealed that sometime in late February or early March, one of its databases was breached by unauthorized access. The way it revealed that information could’ve been smoother.

First it put a message up on the site warning users to change their passwords. Then it took that message down and formally acknowledged the breach. Then it put the warning to change passwords back up on the site.

That kind of disorganization likely won’t make too many users feel comfortable with eBay’s security policies.

What happened

The data stolen in the breach included:

  • customer names
  • mailing addresses
  • phone numbers
  • date of birth, and
  • email addresses.

Users passwords were also stolen, but eBay assures us, they were encrypted.

But as Rik Ferguson, a blogger for TrendMicro notes, that all this information wasn’t encrypted represents a pretty serious lapse in judgment for security. And the company has said nothing about how that unencrypted information was stored or what kind of encryption the passwords used.

Ferguson also points out that a company the size of eBay should probably have been able to detect that information was being accessed and exfiltrated sooner than a few months in.

Having a plan matters

A couple of takeaways: First of all, encrypt sensitive data. Sure, account passwords are important, but if a user’s name, telephone number, date of birth and email address are also spilled to a hacker, it’s not a huge leap of imagination to see that information being used against them in a phishing attack.

Also, you won’t want to be caught by surprise as this company was. Breaches will continue to happen to companies of all sizes. What matters is how you react to them.

Put together a team with representatives from IT, the C-level, customer service, finance, etc. to prepare for data breach fallout. You’ll want to know what everyone’s responsibility is well before the hectic aftermath.

Ideally, you’ll never have to need these measures, but reality shows there’s anything but a guarantee of that.