eBay Cyberattack sparks debate over Data Security

Posted by Karen on May 22, 2014 12:00:00 AM
Over the past few months the online community has been rocked by numerous cyberattacks leading to a substantial amount of personal information being accessed. Just one month ago we were faced with the issue of the Heartbleed bug which supplied hackers with personal information from some of the biggest sites in the world including Mumsnet and the Canada Revenue Agency.

Now, the online auction site eBay has reported that millions of accounts may be compromised as hackers have managed to access users’ passwords and personal information including addresses and phone numbers. It is believed that the attack took place between late February and early March, however it was only detected two weeks ago. Furthermore, it is believed that the attack was made possible as those that carried it out managed to gain the login details of some of eBay’s staff.

In a statement, the site said: “Information security and customer data protection are of paramount importance to eBay Inc, and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.” eBay has also claimed that PayPal, the payment arm of their company, has not been affected by the attack, however users may still want to change their passwords.

eBay has been widely criticised for not properly protecting their data from cyberattacks, especially as it a multi-million pound company which should expect such things to happen and have measures in place to prevent them. For example, Rik Ferguson, global vice president of security research firm Trend Micro, said: “The scope for damage is absolutely huge and could be the biggest hack of all time, given the number of users eBay has.

“It is inexcusable for a company the size of eBay with the amount of data it holds to not encrypt all personal information held and to not constantly be at the forefront of security technology. It should not have taken them three months to notice a break-in like this. Ebay has been around for a very long time and given people’s passwords habits – keeping the same passwords for years and re-using that password on many different sites – it is more likely to have that common, old password.”

Meanwhile, Professor Alan Woodward from the department of computing at the University of Surrey said that the hackers had gained “neatly packaged information that is worth a lot to cybercriminals and though eBay claims that financial information was not compromised we shouldn’t be reassured by these statements.” In fact, it is claimed that information such as names, phone numbers and email addresses are extremely valuable on the black market as they enable criminals to commit identity fraud.

This is just one of the reasons why so many people are concerned with the fact that eBay is not facing any reparations over the loss of such data, as they believe it is their responsibility to protect users’ information. The same was said last year after Sony’s Playstation network was hacked and users’ login and credit card details were stolen, yet the company only had to pay a £250,000 fine. Furthermore, many people argue that these companies have the ability to make their networks secure yet fail to do so as they don’t want to pay for development or advanced technology such as business ethernet.

Harsal Thakrar, Network Operations manager at Fluidata, adds: “It’s been a reality for some time now that keeping passwords secure is as important as setting you house alarm and locking your front door. If users are now going to great lengths to keep their information secure then big corporations have a responsibility to do the same. Having said that, user credentials are easy to change but telephone numbers and addresses - once they're obtained you can’t change them. This information is still very valuable in certain circles but quite frankly if credit card details had also been obtained, three months is just too late. How long would it take for someone to empty your bank account?”
Subscribe to our email updates