When eBay announced in May that it had become the latest high-profile company to suffer a large-scale data breach, several top state law enforcement officials were quick to issue statements expressing concern and pledging to conduct investigations.
In the ensuing weeks, numerous states have teamed up to launch a joint probe of eBay’s breach and its broader security practices, according to an official at the Connecticut attorney general’s office, which along with the AGs in Illinois and Florida is leading the investigation.
In an interview with EcommerceBytes, Connecticut Assistant Attorney General Matt Fitzsimmons said that “a fair number” of states have joined the probe. He declined to provide an exact count, citing laws and policies in some states that keep involvement in such probes a secret, though he confirmed that “more than 10” states have joined the investigation.
As to the scope of the investigation, the attorneys general are looking into the specific circumstances surrounding the breach, as well as the general safeguards eBay has in place to protect against intrusions into its systems and shield its users’ information.
“I think it’s fair to say both. Not to necessarily imply that this breach was a result of anything or we’ve determined that eBay has deficient security,” said Fitzsimmons, who heads the privacy task force in the Connecticut AG’s office.
“We’re not going to be able to get to the why of the breach without looking at what they’re doing more generally,” he explained. “But it’s not a wholesale audit of eBay’s security system.”
Fitzsimmons stressed that the investigation is only in its early stages, and declined to answer specific questions about the preliminary findings or if there are any indications of criminal or negligent activity that could lead to a settlement with the AGs’ offices or a legal action against eBay.
However, he did indicate that the investigation has so far supported eBay’s initial assurance that users’ financial information did not appear to have been jeopardized in the breach, likely obviating the need for the company to provide users with protective services like free credit monitoring.
“From what we know now, it’s not the type of information that would likely lead us to request credit monitoring,” Fitzsimmons said. “It doesn’t appear the information breach was the type that would normally lead to calls for credit monitoring.”
Asked about eBay’s involvement with the inquiry, Fitzsimmons said, “I don’t think I’d call them anything other than cooperative.”
Reached by email, eBay spokesman Ryan Moore said, “We don’t have anything to add at this time,” referring EcommerceBytes to the company’s second quarter earnings call, when executives acknowledged the hit the business took from the data breach.
After putting out a call for users to reset their passwords, eBay observed a dip in sales, with CEO John Donahoe acknowledging that some “buyers have not returned to their previous activity levels.”
“Our focus is now on recovery,” Donahoe said during a July conference call with reporters and Wall Street analysts.
At this point, there is no way to predict how long the probe might last, according to Fitzsimmons, who was involved with the multi-state investigation of privacy violations associated with Google’s Street View, which dragged on for nearly three years before a settlement was reached last March.
“I didn’t see that coming when we first got started,” Fitzsimmons said.
“I wish I knew,” he said of the potential duration of the eBay investigation. “You can never tell going in because you don’t know what you’re going to find in response to your questions.”
Related Story: Louisiana Man Sues eBay over Security Breach (July 25, 2014)