Recently, eBay discovered that hackers utilized the credentials of three of its corporate employees to gain access to user’s non-financial personal information. Users’ encrypted passwords, names, addresses, phone numbers and dates of birth were exposed as a result of the breach.
The breach occurred in late February or early March but was not detected until early May. In late May, eBay began notifying consumers of the incident.
The delay of a couple of weeks in notifying consumers was not unreasonable. Organizations have an obligation to delay notification until a full investigation can be done to determine the scope of the breach and the nature of any potential harm. Notification before an investigation is finished may allow hackers to cover their tracks or cause further, accelerated damage once they realize that the breach has been discovered.
The manner in which eBay rolled out its notice to consumers, however, was problematic. Rather than sending out an immediate email blast alerting users that their personal information had been exposed and advising them to change their passwords immediately, eBay posted a vague notice on its corporate website (ebayinc.com) stating that eBay was “aware of unauthorized access to eBay systems that may have exposed some customer information,” and that it “will be asking all eBay users (both buyers and sellers) to change their passwords.” Around the same time, eBay posted what appears to be an earlier, incomplete draft of that notice on PayPal’s website without any explanation of why it was published there. The post, which was later removed, caused some consumers to mistakenly believe that PayPal information had also been exposed as a result of the breach. Notably, no notice or information was provided on eBay’s main consumer facing website (ebay.com).
Experts weighed in immediately, criticizing eBay’s initial response. Security blogger Graham Cluley’s analysis was particularly harsh and noted that eBay’s failure to include a notice or warning on its main website was inexcusable.
Finally, two days after its initial notice, eBay posted a brief notice on its main website asking users to change their passwords. That notice was not prominent, however, and did not state whether user’s financial information was exposed during the breach. Additionally, eBay allowed users to login to the website without forcing them to change their passwords. It took several more days for eBay notify all of its users via email that they should change their passwords. As a result, many users discovered the breach through major news outlets and social media rather than through eBay’s own notices.
Under most state laws, eBay likely wasn’t required to notify consumers of this incident because financial information or social security numbers were not exposed, but there is a growing expectation that organizations will notify consumers whenever any personal information is exposed so that they can take steps to protect themselves. Also, at least three states are currently investigating the company’s data security practices and the Ney York Attorney General has called for eBay to provide free credit monitoring to users.
Clearly, eBay could have done a better job handling the aftermath of the breach. eBay’s mishandling of the situation indicates that it was not fully prepared to address a data security intrusion, which is surprising for a company with such a large and establish Internet presence. This incident serves as a reminder that all organizations should have a plan in place. Scrambling to put one together at the last minute can lead to unnecessary legal exposure and a public relations nightmare.