Ina Steiner EcommerceBytes Blog
News and insight focusing on ecommerce.
by Ina Steiner, Editor of EcommerceBytes.com
Thu May 22 2014 20:01:30

Who Takes the Fall for eBay's Massive Data Breach?

By: Ina Steiner

Sponsored Link

Donahoe. Wenig. Carges. Who at eBay is ultimately to blame for exposing over 230 million users' personal information to hackers?

In the wake of one of the largest online data breaches in history, it's likely that one of these men will not be with the company when the dust settles. Just over 2 weeks ago, Target CEO Gregg Steinhafel was abruptly fired after 40 million credit card records and 110 million personal records were stolen from Target databases - far fewer numbers than eBay's data breach. Though eBay had encrypted the financial data such as social security numbers and credit card numbers, it did not encrypt sensitive data including names, email addresses, addresses and birth dates.

Plenty of media are picking up on the fact that personal data can be used for phishing and identity theft. Taking it one step further - let's say a fraudster uses my personal information accessed through the eBay breach to trick me into handing over my eBay password - will eBay protect me in the event of an account takeover? Multiply that by however many people fall for such a tactic. Some are also asking why eBay didn't encrypt information like addresses, emails and birthdates.

Aside from the breach itself, eBay has been taking hits for the lack of communication with its users after the compromise was discovered. Articles like this one in the UK's Daily Mail, "Why did eBay take THREE MONTHS to reveal cyber attack? Website blasted for "inexcusable" delay after customers details were hacked as long ago as February" are not going to reassure users.
    
We've set up a poll - who should go?

Create your free online surveys with SurveyMonkey , the world's leading questionnaire tool.




Comments (102) | Leave Comment | Permalink

Readers Comments

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

This user has validated their user name. by: Puck

Thu May 22 20:22:11 2014

They'll blame the breach on small sellers.

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: NetWatch This user has validated their user name.
Web Site

Thu May 22 20:29:31 2014

Donahoe should be asked to resign IMMEDIATELY. From an article earlier today by Samuel Gibbs on The Guardian:
"Security experts have criticised the company for not encrypting all private customer information it held, which includes customer names, email addresses, physical addresses, phone numbers and dates of birth.
Security levels
“We use different levels of security based on different types of information we’re storing, and all financial information across all of eBay’s businesses is encrypted,” the company spokesman said.
“It is inexcusable for a company the size of eBay with the amount of data it holds to not encrypt all personal information held,” said Ferguson.
'Serious from an identity theft perspective'
Despite eBay seemingly not putting importance on personal information like postal addresses and dates of birth, the repercussions of this data theft could be felt for a long time after the break-in.
“I am concerned that not only have they lost my email, username and password, but according to their website the loss includes home address, phone number and date of birth. This is serious from an identity theft perspective,” said Hugh Boyes from the Institution of Engineering and Technology".

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

This user has validated their user name. by: iheartjacksparrow

Thu May 22 21:05:12 2014

You're not kidding, Puck!

eBay will most likely not have to worry about purging thousands of sellers in August as this could possibly be the "straw that broke the camel's back," with many sellers leaving of their own accord. With all the abuse heaped upon sellers, and now facing the possibility of identity and/or monetary theft, perhaps many sellers will finally say, "enough is enough."  

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

This user has validated their user name. by: Ric

Thu May 22 21:06:59 2014

Good thing JD brought that $ 9 Billion back to the US.

eBay can use it to pay off the golden parachutes due to him and the rest of his team which is likely to be purged.

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: Bubbles This user has validated their user name.
Web Site

Thu May 22 21:54:30 2014

JD should take the fall. After all he is supposed to be in charge. With all the techies they have this should have been done years ago.

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: hzATL This user has validated their user name.

Thu May 22 21:56:15 2014

Wouldn't be much of a surprise to learn Donahoe & his loyal lackies orchestrated this. Great way to rid eBay of millions more small sellers like me ($50,000.00 or less in sales per year) that list quality merchandise with no returns in favor of foreign sellers who list crap merchandise with negative net sales due to returns.  

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: frustrated This user has validated their user name.

Thu May 22 22:10:19 2014

@bubbles

WHAT techies?  The 19 year olds they hire in at 9 bucks an hour?

Check glassdoor.com for reviews from the poor souls who (thankfully) used to work there.

They just use it as a resume filler because there are still people out there who believe that companies as large as ebay only hire the best.

I cannot imagine the turnover the must have. Lucky for most of them, they are young enough to overcome their HORRIBLE experience there with little damage done.

They couldn't PAY me (personally) enough to sit and answer phones there, especially this week. And if they paid me 100 grand I could quit in one year with a paid off house, and never work again.

The IT people they have there sit and dream up stuff to do that has nothing to do with the real issues that plague the site, and most of the ''improvements'' they come up with wreck 2 or 3 other things that worked yesterday. That is the behavior of a VERY young person trying to show off for their boss. NOT a seasoned IT professional who actually KNOWS what they coded will work. Ebay doesn't PAY enough to grab those people. If they did, sellers wouldn't complain on a daily basis about idiotic glitches (like todays glitch with uploading pics, or the one where they tell you to add  '', . ,'' to the title...)

and oh BOY I could list 100 more things, that came from bad coding and lack of testing functionality.

In case anyone hasn't noticed, about 99% of the people who work there (ask them, they will tell you) NEVER use the site, as either a buyer or a seller. So why should they care about the breach??

Unless the DOJ decides they are 100% liable for all financial losses due to the breach, they never WILL CARE, either.

Maybe the people who work there know something we DON'T. Like the fact that a breach could happen any time?

It's WELL KNOWN that pay-pal has been hacked, and info sold off to the highest bidders, a couple times in the past. Only sellers with a HUGE financial investment, employees, building rent, and a house payment are willing to risk it.  CERTAINLY not a person who works there, who knows how sloppily everything is handled there....

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: frustrated This user has validated their user name.

Thu May 22 22:13:27 2014

PS

Can we dare to hope this will be their EXCUSE for selling out to Google?

And can we dare to HOPE that if they do fire JD, we get someone BETTER this time, instead of the Meg/JD trade??

Let's vote for PIERRE, who started it, to take it back where it should be, so everyone can make money and find rare and wonderful items once again.

Sorry, it must be time for more medication.

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: frustrated This user has validated their user name.

Thu May 22 22:15:50 2014

Sorry can't help it, one more thing:

2278 signatures and counting, PETITION TO ASK FOR JD'S RESIGNATION

http://www.petitiononline.com/petitions/jdonohoe/si
gnatures?page=7

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: gramophone-georg This user has validated their user name.

Thu May 22 22:59:12 2014

ALL of them should go. Clean sweep of any and all signs of Bain. eBay needs to get back to basics.

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: JLS This user has validated their user name.

Thu May 22 23:13:27 2014

I agree:  They should ALL be fired for this!  I personally have seen a 600% INCREASE in phishing emails with 5 new ones just today, telling me that my Paypal account is going to be shut down ASAP if I don't log into their (of course, phony) website.  Of course, I also called Paypal who told me that there was no problem with my account and asked me to forward the 5 emails to their ''spoof @paypal.com'' but the phishing emails were so horrific that my own ISP provider would not allow any of the 5 to even be forwarded!

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: comet This user has validated their user name.

Thu May 22 23:28:12 2014

@JLS---

The reason that your "spoof" emails can't get sent is NOT because of how "horrific" they were it has everything to do with your ISP not ALLOWING something with the title SPOOF in it to go thru.  

You might need to call Paypal and ask for a DIFFERENT email at their site to receive these.  This is a fairly well known if very annoying problem when trying to send these.  Sometimes you can't send these to ebay's spoof addy either.  

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: comet This user has validated their user name.

Thu May 22 23:29:30 2014

@JLS--I forgot to mention--you might need to get PP to allow you to change the title on these before you send them---so that SPOOF word doesn't appear.

Maybe some one here knows more than I about this and can help further????

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

This user has validated their user name. by: cfrphoto
Web Site

Thu May 22 23:31:26 2014

Ultimately, sellers will take the fall. There is every reason to believe that the number of buyers will drop sharply while the eBay site remains in an unsettled state. I heard reports today of delayed or misdirected emails related to changing passwords. For a while at least, buyers will lose confidence in the site and buy less.

As far as security is concerned, either the break in was an "inside" job or eBay does not have the necessary security and compartmenting in place. It should not be possible to log into a web or database server from outside the eBay employee network. Access to the employee network from outside should require at least two forms of authentication. With proper isolation, breaking into a web server or performing a SQL injection attack should not result in being able to reach personally identifiable information (PII). It will be necessary for eBay to provide a better explanation and stop cutting corners with network security or employee security.

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: comet This user has validated their user name.

Thu May 22 23:41:25 2014

I had to call PP today after--spoiler alert--I had a PROBLEM on ebay. I need to issue a refund and CANNOT do a Full or Partial OR use the Resolution Centers Communicate link to ya know communicate with the buyer I need to refund.  So I went to PP and couldn't do anything THERE either.  

Gee is it ME or are many parts of ebay even MORE messed up today than usual???

So I called.

Guess I never knew that if a "case" is filed you CAN'T issue a refund via Paypal!  I don't often have this happen so---

But!  While I was waiting the few SECONDS it took me to get IN to PP CSR I got a recorded announcement on the Ebay hack.  AND the CSR had to go into a rather elaborate "read" of the SAME info.  I am very sure I don't believe a word that the nice Nebraska girl had to SAY about it but it was at least PRO ACTIVE.  

I think everyone top down at ebay perhaps to the level of the janitors NEEDS to GO right away.  

This is criminal.

Imagine--you sell higher end items and store them at either your home or place of business.  Some one pays the hackers for YOUR info and some guy with a mask and a gun shows up at your house and demands the goods.  

I know--farfetched, right?

Well sadly not really.  We had a guy killed around here for the PIN number of his ATM.  People will do crazy things for easy money.  

I doubt anyone will be turning up here in Cow Town for the vintage and new clothing and odds n ends I sell but some of you---I would be double checking the locks and alarms and changing those codes!!!!

Still NO email from ebay on my accounts at 12:31 AM EDT.  On the very bottom of the SELLING page I saw a notice of how they are maybe perhaps some day going to politely ask us to collectively change several million passwords all at once.  And friends have been reporting that they tried and cannot get a VALID new password.  

Sheesh

Who was it said::: The lure of easy money has a very strong appeal

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

This user has validated their user name. by: Philip Cohen
Web Site

Fri May 23 01:37:48 2014

There’s no point in simply “forwarding” a spoof email to “PreyPal” as the underlying meta data from the original email will not be included, and I don’t doubt that any such emails so sent will go straight into the “PreyPal” waste basket without any human intervention. For such a spoof email to retain its underlying meta data, and so be of some possible use in tracking its source, it has to be sent as an “attachment”. Regardless, I suspect that “PreyPal”, like eBay, will do nothing about such spoofs until the tremors therefrom start collapsing their premises around their ears …

“Meta data”, you know, that stuff the NSA was collecting …

eBay Inc, where the incompetent mingle with the malevolent and the criminal ... http://bit.ly/11F2eas

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: Moonwishes This user has validated their user name.

Fri May 23 01:37:52 2014

those of us that used to sell on ebay that have valid acccounts, I know I for one haven't had a single email from ebay. I guess if I haven't had an ebay transaction in a while they don't care if my info got hacked? But it sounds like they don't care about anyone, most likely since the boards, and JD himself, don't buy or sell on the site, so THEIR info is secure!

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: summer in the city This user has validated their user name.

Fri May 23 02:14:49 2014



Ebay: about as secure as a Pez dispenser.

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: pfft!! This user has validated their user name.

Fri May 23 02:27:16 2014

Moonwishes, it's not just those who haven't used their acct's lately.  I'm a PS and TRS who sells 24/7 and HAVE since about 2003, and I haven't received ANYTHING from ebay re: changing my password.  

Perminate Link for Who Takes the Fall for eBay's Massive Data Breach?   Who Takes the Fall for eBay's Massive Data Breach?

by: FREDDY This user has validated their user name.

Fri May 23 03:27:20 2014

Sounds like they didn't want to invest in security, High payroll for execs- yes.

What happened to the ceo of Target??

Of course JD will come out and somehow place the blame on the small ''noise'' sellers.

Click to view more comments
1 2 3 4 5 6  [Next Page]


Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page
.

Login for AB Verify
Be sure and use your email address and password to log in.

 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.