Lessons from The eBay Data Breach


By: David Cole and Behnam Salehi 
Earlier this month, eBay became the latest victim of a high-profile cyber-attack, following recent attacks on large businesses like Target and Adobe. The attack on eBay resulted in one of the biggest data breaches in history, affecting 145 million of their users. The compromised data included user names, addresses, phone numbers, encrypted password, and dates of birth. While hackers were able to access non-financial user information, they do not appear to have retrieved any credit card or banking information. This is because eBay stored user financial information separately and in encrypted formats.
There has been a lot of criticism of eBay’s response over the past few weeks.  Some argue that it waited too long (approximately two weeks) to notify affected users after it first discovered the breach, and then downplayed the severity of the breach when it went public.  Perhaps the criticism is justified, but as anyone who has gone through a data breach knows, there are many nuances involved when making decisions about how to respond.  Sometimes these nuances are overlooked when the media takes hold of a story.  For instance, giving notice of a data breach too quickly, without conducting a full forensic examination to determine the scope of the breach, can be harmful by causing misstatements or requiring multiple notices to be sent.  Also, reassuring users that information like credit card and bank account numbers was not exposed is important and not necessarily an effort to downplay a breach.
What do you think?  Was eBay’s delay in notification proper? Did eBay maintain an effective data security plan?  Did it downplay the severity of the breach too much?  These answers may depend on factors we may not know.  Still, there are few lessons that can be learned from eBay’s experience:

  1. The fact that there is so much debate and public attention on eBay’s response shows how complex these situations are.  We have talked about it so many times, but this is a good example of why it is important to work with experienced breach counsel when responding to a data breach.  The decisions that need to be made – such as when and how to give notice – are too varied and complex to risk going it alone.
  2. All organizations needs to have a data breach response plan in place before an incident occurs.  Having this plan will establish a protocol for when and how to sound the alarm when a data breach occurs, who the members of your data breach response team will be, what outside vendors you will use, and how you will handle notice to affected individuals.  You do not want to be asking these questions for the first time in the midst of a breach.
  3. Organizations should encrypt all sensitive data, such as PII, financial, and health information.  Most data breach notification laws only require notice when unencrypted data is lost.  In eBay’s case, the situation would have been even worse than it is if financial information had not been encrypted.