/ incident response

eBay shows what not to do in a customer data breach

TL;DR: eBay's security was breached in late February, early March. Customer personal information was stolen. The breach was discovered two months later. The details of the breach are scarce, but eBay has divulged that the attackers only needed simple username and password to breach eBay's security. Using just username and password to access customer personal information is bad. Storing customer personal information in plain text is a major no-no for any organisation that manages customer personal information. It is even a bigger no-no when the business model is based on trust. eBay's crisis communication strategy is to deflect any admission of poor security management and even poorer crisis management and putting the onus on customers to change their passwords.

From eBay's well constructed (I jest) crisis communications page we can learn that they were breached. They call it 'cyberattack' because that sounds better than saying "someone stole username and passwords of a few of our staff and that gave them the access to our crown jewels".

Earlier this month, our company discovered a cyberattack on our corporate information network. Visit this page for all official company communications regarding our network compromise.
(Link above added by myself)

Which is fantastic, if it wasn't that eBay is only now telling us about it. I understand that security investigations take time, and that companies tend to err on the side of caution, but here's the timeline:
eBay breach timeline as we know it

So eBay, who, in their own words take security on eBay very seriously took good two months to discover, investigate and finally report to its customers that their personal information got stolen. What personal information got stolen? Just full name, physical address(es), phone number(s) and date of birth. Let's have a closer look at exactly what eBay says:

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
(Emphasis mine)

Wait, what? eBay claims that eBay security (not customer data security, mind you) is paramount to them, yet it only took a small number of employee log-in credentials to gain access to customer database? eBay, we got a problem. Why wasn't there a second factor authentication for remote access to eBay systems? If there was, how was it circumvented? Why wasn't customer data encrypted in the database? eBay's sole business is based on trust. Customers and sellers trust eBay to protect their data - trust that was clearly misplaced.

To make matters worse, eBay continues to show how not to manage crisis communications. In simple terms, this is what happened:

  1. customers entrust their private information to eBay.
  2. eBay promises to keep that private information safe and secure.
  3. Unknown actors compromise eBay's security some time in late February, early March.
  4. eBay announces that they have discovered the breach of their security some time in May. Customer personal information was compromised as a result of that breach.
  5. eBay tells its customers to change their passwords.

eBay's latest update is as non-committal and as arrogant as they come:

[O]ur team is committed to making eBay as safe and secure as possible. So we are looking at other ways to strengthen security on eBay. In the coming days and weeks we may be introducing new security features. We’ll keep you updated as we do.

In other words, eBay may or may not do anything to improve the very poor handling of customer personal information. Yes, they were breached but the onus is on us, the customers, to keep the fallout from their breach to a minimum to us. Remember, it wasn't just our usernames and passwords that were compromised. Our full names, home addresses, telephone numbers, date of birth were also compromised. We can't (easily) change those. And why should we?

As far as crisis communications goes, eBay receives a solid F. As far as ongoing trust in their handling of personal information goes, they deserve an F-.

In case you're wondering what a good crisis communications looks like, here's a short link. Also worth checking out are The Crisis Blog, and Steven Fink's Crisis Management: Planning for the Inevitable and Crisis Communications: The Definitive Guide to Managing the Message. If you need something quick and digestible, have a look at the way Johnson&Johnson managed 1982 Tylenol crisis (GOOD) versus shocking management of the Exxon Valdez crisis by Exxon in 1989.

UPDATE: See Rik Ferguson's take on eBay breach. Recommended.