When eBay suffered a data breach earlier this year, lawmakers demanded answers.
Members of the Congressional Bipartisan Privacy Caucus have been in consultation with eBay officials, seeking responses to a litany of questions about the firm’s privacy and security protections following the breach that the company announced in May.
In a letter to eBay CEO John Donahoe dated May 28, Reps. Joe Barton (R-Texas) and Bobby Rush (D-Ill.) wrote that they “applaud eBay Inc. for alerting it’s (sic) users to change their passwords to ensure further protection of any personal information.”
“However,” they added, “we have some concerns regarding data security practices of personal information at eBay.”
Specifically, they asked how eBay could be certain that personally identifiable information such as shipping and billing data was not compromised in the breach, through which hackers evidently compromised a handful of employee credentials to gain access to a customer database. Once inside, the hackers were able to snare information such as customers’ names, dates of birth, email addresses, and phone numbers, as well as their encrypted passwords. Other sensitive information, including users’ credit card and Social Security numbers, was not compromised, eBay said.
The lawmakers also asked if the company was still investigating the circumstances surrounding the breach, and what, if any, changes in policy it had adopted following the incident.
The responses that eBay furnished, through unavailable to the public, were evidently satisfactory to Barton, who chairs the privacy caucus.
“We have heard back from eBay and aren’t seeking any additional information from the company at this time,” Barton spokesman Sean Brown wrote in an email.
Barton has a long history of probing companies about their privacy practices and circumstances involving security breaches. But Brown explained that, in this instance, the office had agreed to keep eBay’s answers under wraps.
“In most cases we share the answers to our questions publically, but in this case – in order to get complete responses – we promised eBay that we would keep them confidential,” he said.
“In the weeks and months following the attack, we have continued to work with the relevant regulatory and governmental authorities – both in the U.S. and around the world – to provide them with information and to address their questions,” eBay spokesman Ryan Moore said in an emailed statement. “Those inquiries, as well as an active law enforcement investigation, are still ongoing.”
Moore also reiterated the company’s assurance that the breach did not compromise users’ financial information, and the encrypted passwords that were accessed appear to remain secure.
“Five months after the attack was discovered, it still remains true that none of our customers’ financial data was compromised in the attack,” Moore said. “And we have no evidence that the stolen passwords have been decrypted.”