The Public Eye with Eric Chabrow

Was eBay's Breach Response Sufficient? Consumers, Security Expert React in Different Ways

William Hugh Murray quit using eBay - and sold the stock he owned in the company - because he feels the online retailer didn't do enough to safeguard personally identifiable information before it was breached this past winter.

See Also: Secure, Agile Mobile Banking: Keeping Pace with Last Best User Experience

"Employee credentials were compromised, and that implies no strong authentication," says Murray, detailing a serious sin in his eyes.

The funny thing about the password reset is that passwords were the only thing that weren't compromised. 

Murray isn't your typical online consumer; he's a certified IT security expert who chairs the governance and professional practices committee at (ISC)², the certifying body. He spent 25 years at IBM during his 50-year career in IT, mostly in information security.

What further exasperates Murray about the breach is that eBay required its customers to reset their passwords before they could resume buying and selling merchandise on the site, a process he contends was unnecessary.

"The funny thing about the password reset is that passwords were the only thing that weren't compromised," he says. "Nobody else seem to understand the seriousness of this thing."

It's not surprising Murray's view of the eBay breach differs from the average consumer. He characterizes the eBay breach as worse than the Target attack, in which hackers stole credit card information (see Post-Breach: Target Profits Decline Again). He says eBay failed to protect personally identifiable information that could be used to steal individuals' identities.

Strong Faith

Although consumers do worry about identity theft, they still seem to trust the security of online retailers. Despite a slew of highly publicized breaches, consumers seem to retain a lot of faith in online security. eBay says about 85 percent of its customers have reset their passwords.

Aite Group, a financial services research and advisory firm, recently surveyed consumer attitudes toward fraud, with findings that suggest most consumers hold online retail security in higher regard than the security found at bricks-and-mortar stores.

"I was very surprised to see the high percentage of consumers who do not trust that merchants use adequate security systems in their (bricks-and-mortar) stores to protect their data," Aite analyst and financial fraud expert Shirley Inscoe tells my colleague Tracy Kitten. "At the same time, there was some concerns about shopping online, but actually there was less confidence that in-store merchants used adequate security than online (retailers)."

The eBay attack, revealed in May, occurred after a small number of employee log-in credentials were compromised. That allowed cyber-attackers to gain access to eBay's corporate network and expose the data of 145 million customers, arguably the biggest exposure of PII ever.

According to the company, compromised information included encrypted passwords, customer names, e-mail addresses, mailing addresses, phone numbers and dates of birth. The exposed database did not contain financial information, eBay says. The company urged 145 million customers to reset their passwords (see eBay Breach: 145 Million Users Notified).

Passwords = Security, So Consumers Believe

The way eBay responded to the breach, by requiring new passwords, could have comforted consumers. Consumers equate passwords with security, and requiring them to reset their passwords sends a message that the site is now secure, says Allen Friedman, co-author of the recently published book, Cybersecurity and Cyberwar: What Everyone Needs to Know. In the minds to the average online consumers, Friedman says, "changing my password is more important than boycotting a site for bad security."

Besides, as marketers have discovered, altering consumer habits is problematic. "The one thing we know about consumer behavior is it's hard to change," Friedman says. "People buy the same brand of soap that they bought for 20 years."

eBay says it will generate about $200 million less revenue than originally expected this year, in part, because of the breach (see eBay Sees Revenue Decline Due to Breach). On a teleconference held July 16 by company executives to explain eBay's latest financial results, security analysts that follow the company didn't seem overly concerned about the breach because it seems to have created only a temporary dent in the company's revenue.

But analysts don't judge eBay the same way as Murray does. My question is, do you? Share your answer in the box below.



About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network