TL;DR: eBay’s security was breached in late February, early March. Customer personal information was stolen. The breach was discovered two months later. The details of the breach are scarce, but eBay has divulged that the attackers only needed simple username and password to breach eBay’s security. Using just username and password to access customer personal information is bad. Storing customer personal information in plain text is a major no-no for any organisation that manages customer personal information. It is even a bigger no-no when the business model is based on trust.
Recently I had an interesting conversation around incident response (IR) and preparedness for incidents. For some reason conversation centred around attack trees and how they can be used to better the information security posture of the company. My take on it is that attack trees are great for the security mindset that puts prevention first, second, and third and detection and response equal distant fourth. They’re not so good in the world where non-agent failure happens and your response to it defines how much damage the organisation wears in the end.