6/3/14
By: David Cole and Behnam Salehi
Earlier this month, eBay became the latest victim of a high-profile cyber-attack, following recent attacks on large businesses like Target and Adobe. The attack on eBay resulted in one of the biggest data breaches in history, affecting 145 million of their users. The compromised data included user names, addresses, phone numbers, encrypted password, and dates of birth. While hackers were able to access non-financial user information, they do not appear to have retrieved any credit card or banking information. This is because eBay stored user financial information separately and in encrypted formats.
There has been a lot of criticism of eBay’s response over the past few weeks. Some argue that it waited too long (approximately two weeks) to notify affected users after it first discovered the breach, and then downplayed the severity of the breach when it went public. Perhaps the criticism is justified, but as anyone who has gone through a data breach knows, there are many nuances involved when making decisions about how to respond. Sometimes these nuances are overlooked when the media takes hold of a story. For instance, giving notice of a data breach too quickly, without conducting a full forensic examination to determine the scope of the breach, can be harmful by causing misstatements or requiring multiple notices to be sent. Also, reassuring users that information like credit card and bank account numbers was not exposed is important and not necessarily an effort to downplay a breach.
What do you think? Was eBay’s delay in notification proper? Did eBay maintain an effective data security plan? Did it downplay the severity of the breach too much? These answers may depend on factors we may not know. Still, there are few lessons that can be learned from eBay’s experience:
Share
Save Print