Cyber Attack on eBay Company: The Summer of 2014 Report
Attack analysis.
The possibilities of the Internet today can be considered almost limitless because, with the help of the global network, a large number of operations are performed daily, and people around the world enjoy these benefits. However, the Internet is not always used for peaceful purposes. With the development of technologies and the improvement of programming systems, there have become more frequent cases of so-called hacker attacks, which are a real problem for many large companies. The scenario of such attacks is often similar: cybercriminals hack into secret databases and other private information that is usually not publicly displayed and place stolen data on the network. Over time, it has become more difficult to fight such criminals as new ways of circumventing defense systems and antivirus databases were invented. Thus, one of the most famous cases in the world, which related to the hacking of important information, was the attack on the database of the world-famous online store eBay. According to some sources, it was included in the list of the most severe attacks in the history of the Internet. Therefore, it is necessary to find out what the perpetrators were guided by, what result this attack entailed, and what measures could have been taken to prevent the leakage of important data.
Summary of the Attack
The case under investigation occurred in the summer of 2014 when one of the most popular trading platforms on the Internet was attacked by virtual intruders (Meyer, 2017). According to Meyer (2017), “the company had 145 million user accounts compromised” (p. 11). Such a large number of affected people could not go unnoticed, and the eBay case received a significant public response. Despite the fact that the attack did not touch on important financial information, for example, essential data about payment cards of clients, personal data of many users were stolen. In this regard, users of the online store had to urgently change their private information including passwords and logins, and delete old accounts in order to avoid hacking. The fact is that clients’ personal pages do not contain vital payment information. However, such personal data as volume and history of purchases, as well as some other information, were contained in their accounts. Therefore, the attack was primarily related to the theft of not financial but private user data.
The damage to the reputation of eBay was significant. The company representatives tried to do everything possible to compensate for the damage done to their customers. However, the authority of the online store as the largest site for the sale of goods was significantly spoiled, and its management had to experience much criticism in its address, which came from angry shop users. Because of the fact that this hacking attack has become one of the most public in the history of the Internet, it is still an example for many other large online trading corporations. Therefore, the events of 2014 were discussed very actively, and today, eBay is putting much more effort than before to protect its data.
Analysis of Hackers’ Activities
The activities of people who hacked user information and abducted passwords and access codes were organized professionally enough. It is worth noting that the protection of eBay was not absolutely useless, and for some time, the firewall was protected. Nevertheless, cybercriminals managed to circumvent this protection and successfully commit their crime. The following Figure 1 will show what exactly happened to the Internet store, and what threat its customers had to experience:
According to Figure 1, it can be concluded that customers could have been a rather serious risk if the target of the hackers had been to attack for the purpose of stealing and using certain information. It is hard to suppose what the motives of cybercriminals were and what they wanted to achieve. Perhaps, their actions were aimed at undermining the authority of the company. Thus, according to El-Kenawy, El-Desoky, and Sarhan (2014), eBay has always been one of the world’s largest online platforms, and the activities of competitors have always been aimed at reducing the popularity of this store. Also, a possible version of the reason for the attack may be an ordinary database hacking for entertainment purposes, thereby showing the creators of the security system that their product is unsafe and can easily be damaged. Regardless of the intent of the criminals, they managed to achieve what they aspired to: the eBay system was hacked, and the information of millions of user accounts was made available to strangers.
Hackers did not use the scheme of well-known DDoS-attacks when many requests are made to one site with the purpose of its collapse. They used a more sophisticated method. Having hacked an information field of the online-store, they gained access to essential information. Due to the fact that critical financial data were not stored in an attacked base, money was not stolen by the attackers. However, the reputational damage to eBay was enormous. According to Aggarwal, Arora, and Ghai (2014), millions of buyers on the Internet lost their password-protected data. This hacking attack was one of the most famous in the history of the Internet and has become a reason for discussion for a long time. Perhaps, if the criminals had managed to steal the company’s money and buyers’ personal funds, eBay would have entirely ceased to exist and have received many lawsuits from dissatisfied customers. However, the theft was only informational, which, nevertheless, cannot be regarded as something positive. If specific measures had been taken timely, it would not have been so easy to hack the system and steal valuable information.
Approaches for Mitigating the Attack Vectors
One of the main reasons why hackers did not succeed in stealing valuable financial and other private data was that the information was stored in an encrypted form. Thus, in order to prevent unauthorized access to information, listening, and intercepting traffic, encryption is used. It is a method of converting data to maintain confidentiality. The encryption process involves negotiating a particular key among users and using it on a particular website or another platform. The technical peculiarity of this method is that the attacker will not be able to access data without having a unique key that was used by users. Encryption can be symmetrical and asymmetric. In the course of symmetric encryption, one key is used that was previously known to two users. In asymmetric encryption, two keys are used: public and private. A public key is used to encrypt a message, and a secret key is necessary for decryption. Most online platforms, including eBay, use an asymmetric version of encryption. The simplest and most well-known option for such protection is as follows:
According to Figure 2, it is possible to note that a similar type of encryption is used on many online platforms. Also, it is possible to define a few more methods of how eBay IT-employees could prevent the attack of 2014. In order to protect the system from a possible recurrence of such attacks, it is essential to adhere to appropriate preventive rules.
Restricted Access to the System
The ways to combat unauthorized access can be quite simple if they are properly implemented. The fundamental thing here is the reduction or complete elimination of hackers’ ability to gain access to the system through an unauthorized protocol. As an example, it is possible to consider avoiding hacker access to the server, which provides Web services to external users. Without access to this port, a hacker will not be able to attack it. As for the firewall, its main task is to prevent the simplest attempts of unauthorized access.
If the specialists of eBay’s IT department had been able to provide complete protection of its content in time to prevent unwanted access to the system, the 2014 case would not have happened. One person or group of people successfully took advantage of the fact that the online store did not have a sufficiently secure network, and it was not difficult to steal unprotected data. After the incident, it was decided to strengthen the protection of the network and check its protective protocols in order to exclude possible repetition of the attack. Nevertheless, the damage suffered by the corporation can hardly be forgotten.
Centralized Key Management
The method that in many ways resembles standard encryption is centralized key management. Several important points are taken into account here, and the order of work should be in accordance with a certain algorithm and observance of a special chain. This order is displayed in the following scheme:
According to Figure 3, it is possible to see that all the objects in the database chain are managed by one key element. It is significant for the management of such a scheme to conform to all the standards of modern information protection. The more reliable and professional the central control apparatus will be organized, the more chances that this or that system will be entirely protected from hacker attacks. Accordingly, an insufficiently qualitative scheme can lead to the threat of data theft.
Design to Identify the Attack
There are many ways to take advantage of the vulnerability of a particular network. Hackers can use one or several exploits at the same time, incorrect settings for software components, or even a backdoor program installed in the operating system during the previous attack. Because of these measures, detecting a hacker attack is not the easiest task, especially for an inexperienced user. The data center infrastructure that was used in the eBay of 2014 was characterized by rather standard principles; all the software, server hardware, and monitoring systems were quite ordinary. The control of security levels was carried out in accordance with a traditional scheme, and no special procedures were used. Therefore, it is necessary to formulate some outline and tips that could have helped an operator to identify whether the computers of eBay’s network could have been protected from the attack. Surely, it is impossible to claim that all these methods will give a full guarantee that a hacker attack would have been detected. However, if a specific system is about to be damaged, some of the following indicators can probably be seen.
High Outgoing Network Traffic
When using a common type of connection, it is possible to notice an unusually large amount of outgoing network traffic. In particular, it can be observed when computers from a certain group are connected to the Internet, but no activities are done. In this case, the risk that the network may have been hacked is high enough. Such a computer can be used for hidden spamming or the propagation of viruses. Those who participated in hacking the eBay company were not likely to take advantage of this type of vulnerability. Nevertheless, it is significant to remember about such a danger and timely prevent any potential breaking.
Increased Hard Drive Activity
If increased hard drive activity or suspicious files in root directories are noticed, it is a good reason to pay close attention to a protection system. Many hackers scan the information stored on the network in search of valuable documents or files that contain logins and passwords to bank payment centers or electronic payment systems like PayPal ( How hackers hack PayPal account in 2017 – Hack PayPal , 2017). Some viruses similarly search for disk files with email addresses, which are then used to send infected messages. Having noticed a significant activity of hard disks even when the computer is out of work and the emergence of suspicious names in public folders, it is possible to assume that the network is hacked, and the threat of theft is high.
A Number of Packets Stopped by a Personal Firewall
After determining the target (for example, the range of IP addresses of a company or home network), hackers usually start automatic scanners trying to use a set of various exploits to penetrate the system. When launching an installed firewall that is an indispensable tool in protecting against hacker attacks and noticing an unusually high number of stopped packets from the same address, it is possible to conclude that the network has been attacked. Thus, if such a firewall reports the shutdown of these packages, the network is most likely safe. However, much depends on which running services are open for access from the Internet. For example, a firewall might not be able to cope with an attack aimed at an FTP service. In this case, the solution to the problem is the complete temporary blocking of dangerous packets until the connection attempts are terminated. Most corporate firewalls have a similar function and are used to protect companies’ networks from various threats including data thefts.
Thus, the plan to protect the personal data of eBay’s users could have been developed in advance, and if all the appropriate measures were taken timely, unpleasant consequences probably could have been avoided. The system was not sufficiently protected, which caused considerable damage. After the case of 2014, the company’s management has undoubtedly revised the approach to protecting both valuable financial information and user data. Nevertheless, if the entire algorithm is not carefully considered and some sectors of the network remain vulnerable, it is impossible to speak of full protection. Only comprehensive control will help to achieve maximum security and prevent a repetition of the attack. Therefore, there is a need to discuss additional concepts related to the attack.
Comparison of the eBay Attack with Another Case
Certainly, the attack of 2014 on the eBay database was not the only major online crime. In the same year, network users learned about such a term as the Heartbleed bug. It was a virus similar in its purpose to eBay, but it affected not only local databases but also the security systems of other well-known platforms: Google, Facebook, etc. (Gujrathi, 2014). However, these two attacks had similarities in common since hackers who developed the Heartbleed bug could access the contents of the server’s memory, which at that time could contain private user data (Gujrathi, 2014). Therefore, the principle of their operation was similar. The bug was so famous that it even had its own logo. The activities that it performed when attacking various databases can be displayed in the following scheme:
The Heartbleed bug is a serious vulnerability that allows hackers to access the contents of the server memory, which can contain private data from users of various web services (Gujrathi, 2014). In addition, cybercriminals can also obtain digital keys used, for example, to encrypt correspondence and internal documents in a variety of companies. This vulnerability allows an attacker to gain access to sixty-four kilobytes of server RAM and perform attacks many times until the data is completely lost. It means that not only logins and passwords are subject to leakage but also the cookie data that web servers and sites use to track user actions and simplify authorization. According to Gujrathi (2014), periodic attacks can give access to more serious information, such as private encryption keys used by the site to block traffic. When using this key, an attacker can replace the original site and steal a variety of types of personal data, such as credit card numbers or private correspondence.
Accordingly, this vulnerability also carries a certain danger for personal data, and its mechanism of action has something in common with the case of eBay in 2014. In particular, the Heartbleed bug is dangerous when it comes to passwords; in 2014, many customers of the online shop also were theft. Therefore, in both cases, the problem is associated with the need to ensure full protection of access to passwords and other important information that can be used by cybercriminals.
Measures to Prevent Attack Repetition
Despite the fact that after the events of 2014 the management of eBay took appropriate measures to protect the data of its customers and ensure more efficient security, there is always a risk of attack. Technologies never stand still, and new viruses and other malicious software appear regularly. Hackers can create some other threats that will be able to circumvent existing firewalls and harm content.
In order for this case not to happen again, IT professionals of the eBay company should pay specific attention to the protection of customers’ personal data and, in particular, to password encryption. There is a high probability that attackers will want to repeat the attack since this online store is one of the largest and most famous on the Internet, and access to information about its customers can bring cybercriminals a considerable profit. Thus, system administrators should regularly monitor the amount of outgoing traffic and in case of any violations or unusual situations, it is necessary to immediately take measures and block any suspicious activity. Also, it is essential not to allow third parties to the database where all important information is stored. It can happen that even a person working inside the organization can turn out to be a criminal and steal passwords and other information about clients. In order to avoid it, it is necessary to allow only those professionals who are directly involved in the IT department and do everything possible to ensure that unauthorized persons do not have unrestricted access to network information.
The management of eBay probably has taken all necessary measures since the attack of 2014. Nevertheless, it is always significant to ensure control as the hacker threat can be in any form: stealing passwords, blocking information, breaking the site, etc. Therefore, the higher the security of the system is, the less likely that cybercriminals will be able to crack it.
Thus, according to the information studied, it is possible to claim that eBay has undergone one of the most famous hacker attacks in the history of the Internet. The reason for the leakage of customer personal data is not enough high level of system protection. The threat could have been prevented if appropriate measures had been taken timely. Cybercriminals acted on a rather famous pattern. Despite the fact that customers did not lose their money, the reputation of the online store was broken. In order to avoid such an attack in the future, it is essential to provide enhanced database protection and monitor any suspicious activity.
Aggarwal, P., Arora, P., & Ghai, R. (2014). Review on cyber crime and security. International Journal of Research in Engineering and Applied Sciences , 2 (1), 48-51.
The case of eBay data theft and potential threat to customers [Image]. (2014). Web.
The damage that the Heartbleed bug caused [Image]. (2014). Web.
Gujrathi, S. (2014). Heartbleed bug: AnOpenSSL heartbeat vulnerability. International Journal of Computer Science and Engineering , 2 (5), 61-64.
El-Kenawy, E. S. M. T., El-Desoky, A. I., & Sarhan, A. M. (2014). Bidder strategy system for online auctions trust measurement. International Journal of Computer Science Issues (IJCSI) , 11 (5), 76-82.
How hackers hack PayPal account in 2017 – Hack PayPal . (2017). Web.
The login page of eBay [Image]. (2017). Web.
Meyer, C. (2017). Submitted to the Department of technology systems . Web.
The system of centralized cryptographic key management [Image]. Web.
- Chicago (A-D)
- Chicago (N-B)
IvyPanda. (2020, December 29). Cyber Attack on eBay Company: The Summer of 2014. https://ivypanda.com/essays/cyber-attack-on-ebay-company-the-summer-of-2014/
"Cyber Attack on eBay Company: The Summer of 2014." IvyPanda , 29 Dec. 2020, ivypanda.com/essays/cyber-attack-on-ebay-company-the-summer-of-2014/.
IvyPanda . (2020) 'Cyber Attack on eBay Company: The Summer of 2014'. 29 December.
IvyPanda . 2020. "Cyber Attack on eBay Company: The Summer of 2014." December 29, 2020. https://ivypanda.com/essays/cyber-attack-on-ebay-company-the-summer-of-2014/.
1. IvyPanda . "Cyber Attack on eBay Company: The Summer of 2014." December 29, 2020. https://ivypanda.com/essays/cyber-attack-on-ebay-company-the-summer-of-2014/.
Bibliography
IvyPanda . "Cyber Attack on eBay Company: The Summer of 2014." December 29, 2020. https://ivypanda.com/essays/cyber-attack-on-ebay-company-the-summer-of-2014/.
- EBay: The Entering to the International Market
- How eBay Approaches Innovation and Development
- EBay Corporation Internationalization Strategy
- Internet's Effect: From Perspective of eBay
- eBay Strategic Marketing
- EBay's Success Factors, Fee Structure, and Future
- EBay Company in E-business
- EBay’s Market Entry Challenges in Asia
- Meg Whitman at E-Bay Case
- EBay and E-Commerce Business Strategies
- Concept of the Denial-of-Service Attacks
- Aviation and Aerospace Issues of Information Security
- Issues of Information Security in Aviation
- Denial-of-Service Attacks: Defense Mechanisms
- Secure Cyberspace: Potential Approaches
The eBay Data Breach: What You Need To Know
In what is one of the biggest breaches of user data yet, eBay has revealed that in March 2014 its servers were compromised. Other than confirming that staff accounts were co-opted and advising eBay account holders to change their passwords, it is revealing nothing else.
So, what should you do? Is changing your password enough, or should you go further? Perhaps your concerns extend to other eBay owned services, most notably PayPal?
eBay Explains What Happened
In a blog post headed " eBay Inc. To Ask eBay Users To Change Passwords " on Wednesday May 21 st (following an earlier empty blog post that leaked the security breach, allowing several news outlets to get the jump on eBay) the auction giant announced that
"...it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data."
The post goes on to explain how the company (oddly writing in the third person, indicating a lack of acceptance) has found no evidence that financial and credit card information has been compromised following the attack, which took place during "late February and early March". Compromised information included "eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth."
EBay insists that it is taking the matter seriously and is currently "Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."
How Was Your eBay Data Compromised?
Having detected the security breach around two weeks ago, eBay made mention of "the compromised employee log-in credentials" which are to blame for the intrusion. A forensic investigation then "identified the compromised eBay database" where personal data – for every single eBay user – is stored.
You may want to re-read that last paragraph.
At this point, it is unclear exactly how the eBay employee accounts were compromised. One suggestion is that they may have fallen foul of a phishing attack, where a fake email was sent asking them to log in and reset their password on a convincing-looking website. An alternative – and these are but speculation as eBay has been forthcoming with little detail about this disgraceful affair – is that the breach was made possible by an internal attack. Could an employee have conducted this break in?
Also, consider the number of accounts: personal data of 145 million people has apparently been stolen. If this intrusion was the result of employee accounts being compromised, was there a single person who had access to all 145 million records?
The timeline, meanwhile, coincides with the Heartbleed storm . In April eBay reassured users:
1) Your eBay account is secure
2) Your eBay account details were not exposed in the past and remain secure
3) You do not need to take any additional action to safeguard your information
4) There is no need to change your password
Meanwhile the startup password changing service Passomatic reported that "all its partners have made the fix. Among them are eBay."
Could Heartbleed have been the route into eBay? Or more embarrassingly, could the focus on the OpenSSL vulnerability turn out to have been a very costly distraction for the online auction house?
Dealing With The Security Breach
One of the most concerning aspects about this case is the timeline. It seems remarkable that eBay did not detect the breach sooner, something that may indicate a hacking operation of particular skill (equally, it could mean that eBay's database security is not fit for purpose).
Following the announcement, eBay claimed that "users will be notified via email, site communications and other marketing channels to change their password". However so far there have been no reports of emails being received, and only social networks issuing notices.
What you may not know about eBay, Inc. is that it not only owns the popular online auction site www.ebay.com and its international variants, it also owns PayPal.
The unapologetic, limited details releases by eBay do them no favours. While they claim that their other businesses are unaffected by this breach, the fact is that unless eBay prove that they know this for sure, there is no way that we can trust this assertion.
Being realistic, this is a security breach of cataclysmic proportions. The volume and depth of data stolen from accounts is unprecedented.
To make matters worse, phishing emails are now arriving in inboxes around the world as scammers attempt to cash in on the breach (although an unusual aspect to the case is that the data has not yet turned up either on the darker side of the Internet, leading to some uninformed speculation that the breach is little more than a PR exercise.)
The screen cap above was taken on Wednesday, May 21st, the day news of the leak broke. No warnings or advice to be found!
Some other things that you should consider. As of January 2013 there were 112.3 million active users worldwide; 145 million records are said to have been stolen. This leaves the potential for around 30 million unused accounts to be hijacked – more than enough to destroy eBay's internal ratings and trust system should the hackers so choose. Trust is key to eBay's business model, and without it, its days could be numbered.
Then there's the request for people to change their passwords. The site has already experienced performance issues following news of the breach as users flocked to eBay to begin changing passwords.
That's if users can even find the change password option (hint: click the forgot your password? button to save time).
The Financial Data Question: Are Your Card Details Safe?
EBay insists that no financial or credit card data has been compromised, only usernames, passwords and email addresses.
This is an attempt at damage control, however, to minimize outrage.
Say you wanted to access your eBay card details, what would you do? Sign in, or course, with your username and password. While the card number will be largely obscured (save for the final four digits) there is potentially enough information here to give a hacker what they need, from card expiry date to confirmation of your card type, how often you've used it. This information is certainly sufficient to pick an individual out as a target, and if cross-referenced with other accounts, possibly more.
Remember, your online identity is basically a dataset of your physical identity. Each element – name, date of birth, address – is like a jigsaw. As more pieces are found, a bigger picture of who you are emerges.
What You Should Do To Protect Your Data?
eBay has stated that its businesses are all kept separate. The implication of this should be that PayPal data is kept completely isolated from eBay data.
However, as the company has been unclear about how the breach occurred and which employees were affected, there is no reason to take this comment seriously.
As such we recommend that you change both your eBay and PayPal passwords. Ensure that these are different, and are not the same as those used for any other online accounts. Furthermore, heed eBay's advice and address other online accounts you have that used the same password. Our tips on creating a secure password should help you out here. You might also store these in a secure service or app such as LastPass.
In the USA, PayPal offers a two-factor authentication system using a small handheld tool to create a code. While it would seem that there is no similar system in place for eBay, you can in fact get your hands on one for the auction site after you've signed up for the PayPal device. The implementation and promotion of these tools has been poor, as you can see, but two-factor authentication is a must for any online service that stores any data about you.
Remember, this is your data that eBay is admitting to having lost. Your name, address, phone number, birthday… you can change your password, but you can't change them.
This Breach Is Disastrous For eBay
As stated earlier, we believe that changing your passwords and adopting two-factor authentication (where available) for eBay and PayPal is the best course of action.
However, if we consider the lack of information about the breach, the possibility of an internal attack, the lack of data being put up for sale, the potential for 30 million zombie accounts destroying eBay's seller trust rating and its inability to cope with password resets, there remains a question that has to be asked. Do you really want to be a member of a website that treats user data and security breaches in this way?
If you're thinking "but eBay is the only decent auction site!" then you're quite wrong, as there are plenty of alternatives that you should check out .
However, we would encourage you to give this matter serious thought. It might not save your stolen data, but enough people voting with their feet will give other companies cause to act responsibly in these situations in future.
Have you received an email from eBay? Did you change your password already? How do you feel about this breach?
Let us know your thoughts in the comments.
Image Credit: wk1003mike via Shutterstock.com
- Share full article
Advertisement
Supported by
EBay Urges New Passwords After Breach
By Nicole Perlroth
- May 21, 2014
SAN FRANCISCO — In the latest prominent breach of a company’s computer network, hackers have infiltrated the online marketplace eBay, gaining access to the personal data of 145 million customers, the company said on Wednesday.
The hackers broke into an eBay database containing names, email addresses, birth dates, encrypted passwords, physical addresses and phone numbers.
There was no indication that the attackers obtained financial information such as credit and debit card numbers or gained access to customer accounts at PayPal, which is owned by eBay, said Amanda Miller, a company spokeswoman. The company has not seen evidence of fraudulent activity that could be linked to the breach, she said.
Still, hackers could use the stolen data for identity theft. Personal information — such as email addresses, passwords and birth dates — is regularly sold to criminals who use it for phishing or identity theft.
Security experts warned that the stolen information would make eBay customers easy targets for phishing attacks, in which criminals send emails that bait victims into clicking on malicious links or direct them to fake log-in screens where they are asked to enter more valuable information like a password or a Social Security number.
“Expect an uptick in phishing. Do not click links in email or discuss anything over the phone,” warned Trey Ford, a strategist at Rapid7, a security firm in Boston.
EBay discovered the breach this month when the company’s internal security team noticed that some of its employees were engaged in unusual activity on its corporate network, said Mark Carges, the company’s chief technology officer.
EBay contacted the Federal Bureau of Investigation’s San Francisco office as well as an outside computer forensics firm. Working together, they found that hackers had been inside eBay’s corporate network since late February.
By studying computer logs, eBay discovered that hackers had stolen the credentials of several of its employees and gained unauthorized access to eBay’s corporate network. Once inside, they were able to copy a database containing information on all 145 million of the company’s customers, according to Alan Marks, eBay’s senior vice president of global communications.
Mr. Marks said eBay stored its financial data separately. Still, the company advised users with the same password for eBay and PayPal to change their passwords immediately.
Though notification laws differ, most states require that companies notify customers of a breach only if their names are compromised in combination with other information like a credit card or a Social Security number. But there are exceptions for encrypted information.
In eBay’s case, the company stored users’ names, email and physical addresses and birth dates in plain text but encrypted their passwords. Most states would not have required eBay to disclose the breach. But one state, North Dakota, requires companies to disclose a breach in cases where a customer’s name is compromised in conjunction with a birth date.
Mr. Carges said eBay camouflaged customers’ passwords with encryption, using a process known as hashing, in which passwords are mashed up with a mathematical algorithm and stored only in encoded or “hashed” form.
To make cracking more difficult, Mr. Carges said, eBay also appended several random digits to customer passwords — a process known as salting — before encrypting the passwords. Salting makes cracking them more difficult, although not impossible.
Mr. Marks said that on Wednesday the company would begin prompting users to change their passwords and alerting customers to the breach.
Peter D. Lee, a spokesman for the F.B.I.’s San Francisco field office, said the F.B.I. was working closely with eBay to investigate the breach and that he believed that arrests would be made soon.
The breach at eBay is one of several recent hacking episodes at prominent companies. One that struck Target in December has cost the retailer $87 million in breach-related expenses, according to securities filings.
Because of erroneous information provided by a spokeswoman for the company, a previous version of this article misstated when eBay learned of an attack on its computers. EBay became aware of the breach in early May, and it was discovered that it had first occurred in late February; eBay did not discover the breach in February.
How we handle corrections
A Guide to Digital Safety
A few simple changes can go a long way toward protecting yourself and your information online..
A data breach into your health information can leave you feeling helpless. But there are steps you can take to limit the potential harm.
Don’t know where to start? These easy-to-follow tips and best practices will keep you safe with minimal effort.
Your email address has become a digital bread crumb that companies can use to link your activity across sites. Here’s how you can limit this .
Protect your most sensitive accounts by creating unique passwords and adding extra layers of verification .
There are stronger methods of two-factor authentication than text messages. Here are the pros and cons of each .
Do you store photos, videos and important documents in the cloud? Make sure you keep a copy of what you hold most dear .
Browser extensions are free add-ons that you can use to slow down or stop data collection. Here are a few to try.
- Today's news
- Reviews and deals
- Climate change
- 2024 election
- Fall allergies
- Health news
- Mental health
- Sexual health
- Family health
- So mini ways
- Unapologetically
- Buying guides
Entertainment
- How to Watch
- My watchlist
- Stock market
- Biden economy
- Personal finance
- Stocks: most active
- Stocks: gainers
- Stocks: losers
- Trending tickers
- World indices
- US Treasury bonds
- Top mutual funds
- Highest open interest
- Highest implied volatility
- Currency converter
- Basic materials
- Communication services
- Consumer cyclical
- Consumer defensive
- Financial services
- Industrials
- Real estate
- Mutual funds
- Credit cards
- Balance transfer cards
- Cash back cards
- Rewards cards
- Travel cards
- Online checking
- High-yield savings
- Money market
- Home equity loan
- Personal loans
- Student loans
- Options pit
- Fantasy football
- Pro Pick 'Em
- College Pick 'Em
- Fantasy baseball
- Fantasy hockey
- Fantasy basketball
- Download the app
- Daily fantasy
- Scores and schedules
- GameChannel
- World Baseball Classic
- Premier League
- CONCACAF League
- Champions League
- Motorsports
- Horse racing
- Newsletters
New on Yahoo
- Privacy Dashboard
Hackers raid eBay in historic breach, access 145 million records
By Jim Finkle
BOSTON (Reuters) - EBay Inc said that hackers raided its network three months ago, accessing some 145 million user records in what is poised to go down as one of the biggest data breaches in history, based on the number of accounts compromised.
It advised customers to change their passwords immediately, saying they were among the pieces of data stolen by cyber criminals who carried out the attack between late February and early March.
EBay spokeswoman Amanda Miller told Reuters late on Wednesday that those passwords were encrypted and that the company had no reason to believe the hackers had broken the code that scrambled them.
"There is no evidence of impact on any eBay customers," Miller said. "We don't know that they decrypted the passwords because it would not be easy to do."
She said the hackers gained access to 145 million records of which they copied "a large part". Those records contained passwords as well as email addresses, birth dates, mailing addresses and other personal information, but not financial data such as credit card numbers.
Miller also said the company has hired FireEye Inc's Mandiant forensics division to help investigate the matter. Mandiant is known for publishing a February 2013 report that described what it said was a Shanghai-based hacking group linked to the Peoples Liberation Army.
EBay earlier said a large number of accounts may have been compromised, but declined to say how many.
Security experts advised EBay customers to be on the alert for fraud, especially if they used the same passwords for other accounts.
"People need to stop reusing passwords and should change their affected passwords immediately across all the sites where they are used," said Trey Ford, global security strategist with cybersecurity firm Rapid7.
Michael Coates, director of product security with Shape Security, said there is a significant risk that the hackers would unscramble the passwords because typically companies only ask users to change passwords if they believe there is a reasonable chance attackers may be able to do so.
Still, eBay said it had not seen any indication of increased fraudulent activity on its flagship site and that there was no evidence its PayPal online payment service had been breached.
EBay said the hackers got in after obtaining login credentials for "a small number" of employees, allowing them to access eBay's corporate network.
It discovered the breach in early May and immediately brought in security experts and law enforcement to investigate, Miller said.
"We worked aggressively and as quickly as possible to insure accurate and thorough disclosure of the nature and extent of the compromise," Miller said when asked why the company had not immediately notified users.
The breach could go down as the second-biggest in history at a U.S. company, based on the number records accessed by the hackers.
Computer security experts say the biggest such breach was uncovered at software maker Adobe Systems Inc in October 2013, when hackers accessed about 152 million user accounts.
It would be larger than the one that Target Corp disclosed in December of last year, which included some 40 million payment card numbers and another 70 million customer records.
(Additional Reporting by Joseph Menn; Editing by Christopher Cushing)
Recommended Stories
Former nba guard darius morris dies at 33.
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'
Murray made a bad night on the court worse during a moment of frustration on the bench.
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Phil Mickelson on the majors: 'What if none of the LIV players played?'
Phil Mickelson hints that big changes could be coming to LIV Golf's rosters, and the majors will need to pay attention.
Heat's Pat Riley unhappy with Jimmy Butler's remarks on Celtics and Knicks, implies he needs to play more
Miami Heat president Pat Riley rebuked comments Jimmy Butler made about the Boston Celtics and New York Knicks, while also implying that his star needs to play more.
Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap
Jake Mintz & Jordan Shusterman discuss the Padres-Marlins trade that sent Luis Arraez to San Diego, as well as recap all the action from this weekend in baseball and send birthday wishes to hall-of-famer Willie Mays.
NBA playoffs: Officials admit they flubbed critical kick-ball call in controversial final minute of Pacers-Knicks
Tuesday's last-2-minute report should be interesting.
Social Security just passed Medicare as the government's most pressing insolvency risk
An annual government report offered a glimmer of good news for Social Security and a jolt of good news for Medicare even as both programs continue to be on pace to run dry next decade.
No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it
The quality was choppy, but it was better than what the WNBA had.
NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?
Which teams did the best in the NFL Draft?
The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024
Fantasy baseball analyst Dalton Del Don delivers his latest batch of hot takes as we enter Week 6 of the season.
The best RBs for 2024 fantasy football according to our analysts
The Yahoo Fantasy football analysts reveal their first running back rankings for the 2024 NFL season.
2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick
Yahoo Sports' Charles McDonald breaks down the Broncos' 2024 draft.
Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race
Race organizers say they'll revoke a Trump fundraiser's suite license if he holds an event for the former president on Sunday at the race.
Dwayne Johnson is difficult to work with, report claims. The star has 'mountains of public goodwill' to offset negativity, expert says.
Once named the “Most Likable Person in the World,” the actor is under fire in a new report, accused of showing up to work late on the film “Red One,” irritating the crew and causing the budget to balloon.
Monday Leaderboard: Brooks Koepka is ready to slow the Scottie Scheffler train
A dominant LIV win and a heartbreaking PGA Tour loss headline this week's top golf stories
CVS stock plunges after earnings numbers one analyst 'did not even believe'
CVS warns it could cede Medicare Advantage market share as reimbursement rates pressure the company.
2024 NBA offseason previews: Teams' needs, free agents, draft picks, cap space and more
The 2023-024 NBA season isn't yet over. A number of teams are still dreaming of championship glory. But for those that have been bounced from the playoffs, it's time to reassess and re-evaluate for next season.
Timberwolves' Rudy Gobert out for Game 2 vs. Nuggets due to birth of his child; Jamal Murray to play
Rudy Gobert may not play due to the birth of his first child.
Victor Wembanyama wins NBA Rookie of the Year via unanimous vote after delivering on unprecedented hype
Victor Wembanyama did everything for the Spurs as a rookie.
- Work & Careers
- Life & Arts
Become an FT subscriber
Try unlimited access Only $1 for 4 weeks
Then $75 per month. Complete digital access to quality FT journalism on any device. Cancel anytime during your trial.
- Global news & analysis
- Expert opinion
- Special features
- FirstFT newsletter
- Videos & Podcasts
- Android & iOS app
- FT Edit app
- 10 gift articles per month
Explore more offers.
Standard digital.
- FT Digital Edition
Premium Digital
Print + premium digital, weekend print + standard digital, weekend print + premium digital.
Today's FT newspaper for easy reading on any device. This does not include ft.com or FT App access.
- Global news & analysis
- Exclusive FT analysis
- FT App on Android & iOS
- FirstFT: the day's biggest stories
- 20+ curated newsletters
- Follow topics & set alerts with myFT
- FT Videos & Podcasts
- 20 monthly gift articles to share
- Lex: FT's flagship investment column
- 15+ Premium newsletters by leading experts
- FT Digital Edition: our digitised print edition
- Weekday Print Edition
- Videos & Podcasts
- Premium newsletters
- 10 additional gift articles per month
- FT Weekend Print delivery
- Everything in Standard Digital
- Everything in Premium Digital
Essential digital access to quality FT journalism on any device. Pay a year upfront and save 20%.
- 10 monthly gift articles to share
- Everything in Print
Complete digital access to quality FT journalism with expert analysis from industry leaders. Pay a year upfront and save 20%.
Terms & Conditions apply
Explore our full range of subscriptions.
Why the ft.
See why over a million readers pay to read the Financial Times.
International Edition
145 million users exposed by phishing aimed at employees of online marketplace
In 2014, this event was one of the biggest hacks. The online auction giant disclosed the attack in May 2014 stating that it exposed names, addresses, dates of birth and encrypted passwords of 145 million users. Financial information which was stored separately was not compromised. The company's stock price in the days after the breach took a major hit, dipping to the lowest since December 2013.
The company said hackers gained access to company systems using the access credentials of three employees. The hackers had complete access for 229 days during which time they were able to make their way to the user database.
Many consumers and security professionals were vocal in their protest of the company's response, in particular criticism for a lack of disclosure to users. Some even called it one of the worst corporate crisis responses ever.
Book a consultation
Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:
We've done the analysis so you can make the decisions
$489.99 When purchasing a minimum of 5 Case Studies $699.99 if buying less than 5.
- Detailed cause & effect analysis
- Lessons learnt catalogued
- Preventive controls extracted
eBay hack 'one of the biggest data breaches in history'
Fears of widespread identity theft mount after 'catastrophic' eBay cyber-attack
- Newsletter sign up Newsletter
The cyber-attack on eBay is poised to go down as one of the biggest data breaches in history, with experts warning that even after users have changed their passwords the breach could have "catastrophic" consequences.
Some 145 million user records have been accessed by hackers, the company announced in a statement yesterday. All eBay users have been advised to change their passwords immediately.
Web security experts warn that this may not be enough, and the ramifications of the hack could be "catastrophic".
Subscribe to The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
Avivah Litan, an analyst at technology research firm Gartner told the Financial Post that if cyber-attackers manage to compile data from a variety of sources, "a massive incident is in the pipeline, such as widespread identity theft or thousands of financial accounts being taken over".
Alan Woodward, an independent security consultant agrees: "The slightly worrying aspect of this is that the hackers have a nice neat list of personal information, which can be used to steal identities or even help them get around other systems though password reset scams", Woodward told the BBC .
More than 15 million British people, and over a hundred million more worldwide are at risk of identity theft after the attack, the Daily Telegraph notes. The online security breach leaves not just passwords, but also names, addresses and telephone numbers in the hands of hackers.
The danger also goes beyond the internet, the Telegraph notes, because some telephone banking services allow users to log in using their date of birth and address for verification. This could result in massive banking theft and financial fraud.
Paul Martini, the chief executive at iboss Network Security, said: “The damage could well have already been done, as the time lag between the cyber breach and the discovery of the breach is in the months. Cyber hackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites.”
MPs said that the US-based firm's delay in admitting to the breach was “inexcusable”.
eBay forces users to change passwords after cyber-attack
Onling retailer eBay will force all 128 million of its users to change their passwords after discovering that the site had been compromised.
The company said databases containing encrypted passwords and other non-financial data had been attacked some time in February or March.
According to the company's records, no unauthorised activity has been recorded, but requiring all users to change their account details is "best practice and will help enhance security for eBay users".
The attack came about, eBay said in a post on its corporate site, because "cyber-attackers compromised a small number of employee log-in credentials, allowing unauthorised access to eBay's corporate network".
The post added: "Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers."
The retailer has 128 million active users and accounted for $212bn (£126bn) worth of transactions on its wide range of services in 2013, the BBC reports.
In spite of the company's reassurances that no illegal transactions had occurred, one expert told the BBC that the hackers might still be able to exploit the security breach.
"We all know that given enough time hackers can crack some encrypted password files," said Alan Woodward, an independent security consultant.
"The slightly worrying aspect of this is that the hackers have a nice neat list of personal information, which can be used to steal identities or even help them get around other systems though password reset scams."
eBay users are advised to visit the site and change their password as soon as possible.
Sign up for Today's Best Articles in your inbox
A free daily email with the biggest news stories of the day – and the best features from TheWeek.com
Cartoons Saturday's cartoons - reflections in the pond, riding shotgun, and more
By The Week US Published 4 May 24
Cartoons Artists take on the rainbow bridge, a farm upstate, and more
Podcast Scientists believe universal donor blood is within reach – plus, the row over an immersive D-Day simulation, and an Ozempic faux pas
By The Week Staff Published 4 May 24
Speed Read Ransomware attacks have become a global epidemic, with more than $18.6bn paid in ransoms in 2020
By The Week Staff Last updated 20 May 21
Speed Read Locked-down Brits turn to online lessons as a new hobby and way to upskill
By Mike Starling Published 12 January 21
Speed Read New research shows that UK start-ups have won more funding than France and Germany combined over past year
By Mike Starling Published 8 December 20
Speed Read Prince Harry, Meghan Markle and Dominic Cummings among most talked-about celebs on the dating app
By Joe Evans Last updated 7 December 20
Speed Read UK research suggests unnecessary online chatter increases climate change
By Joe Evans Published 19 November 20
Speed Read Deal is part of the US space agency’s plan to establish human settlements on the lunar surface
By Mike Starling Last updated 20 October 20
Speed Read Tech giant unveils new 5G smartphone line-up
By Mike Starling Last updated 14 October 20
Speed Read Facebook says real reporters were hired by fake editors to write about US corruption
By Holden Frith Published 2 September 20
- Contact Future's experts
- Terms and Conditions
- Privacy Policy
- Cookie Policy
- Advertise With Us
The Week is part of Future plc, an international media group and leading digital publisher. Visit our corporate site . © Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.
eBay Inc. To Ask eBay Users To Change Passwords
eBay Inc. Staff
eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.
Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.
The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.
Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.
About eBay Inc.
eBay Inc. (NASDAQ: EBAY) is a global commerce and payments leader, providing a robust platform where merchants of all sizes can compete and win. Founded in 1995 in San Jose, Calif., eBay Inc. connects millions of buyers and sellers and enabled $205 billion* of commerce volume in 2013. We do so through eBay, one of the world's largest online marketplaces, which allows users to buy and sell in nearly every country on earth; through PayPal, which enables individuals and businesses to securely, easily and quickly send and receive digital payments; and through eBay Enterprise, which enables omnichannel commerce, multichannel retailing and digital marketing for global enterprises in the U.S. and internationally. We also reach millions through specialized marketplaces such as StubHub, the world's largest ticket marketplace, and eBay classifieds sites, which together have a presence in more than 1,000 cities around the world. For more information about the company and its global portfolio of online brands, visit www.ebayinc.com .
* This adjusted number reflects decision to remove vehicles and real estate GMV from ongoing total GMV and ECV metrics (previously stated ECV for 2013 was $212 billion, incorporating vehicles and real estate GMV).
Topic: Customers
To revisit this article, visit My Profile, then View saved stories .
- Backchannel
- Newsletters
- WIRED Insider
- WIRED Consulting
Andy Greenberg
EBay Demonstrates How Not to Respond to a Huge Data Breach
Losing control of more than 100 million customers' information is an increasingly common corporate crisis. Flubbing the public revelation of that breach and failing to tell most of your customers represents a more special form of train wreck.
In the wake of eBay's revelation earlier this week that it had lost as many as 145 million customers' data, eBay users and security response professionals say they've been increasingly angered and amazed at the company's ham-fisted public response to an incident that's already sparked multiple government investigations . EBay's mistakes include taking days to post a notice about the breach on eBay.com and confusing users as to whether their PayPal accounts had also been affected. As of Friday afternoon, many--if not the majority--of the site's users still had received no email notification about the breach.
"It just seems like their response has been complete disarray and disorganization," says Dave Kennedy, the CEO of security consultancy and breach response firm TrustedSec. "This is one of the worst responses I’ve seen in the past ten years from a company that’s experienced a breach."
EBay initially warned its customers about their data's theft in a note on its little-seen corporate website Ebayinc.com , telling them that a "cyberattack" had compromised a database of names, phone numbers, home addresses, emails and encrypted passwords but not financial information. No mention of the breach appeared on eBay.com.
Around the same time it also inexplicably posted a statement to PayPal's site, which warned in its title that eBay users should change their passwords, but offered no further information in the post's body, only the words "place holder text." That message no doubt confused users who mistakenly thought their PayPal accounts may have also been affected. It was later deleted. "That seemed like a bit of a cockup," says Rik Ferguson, an analyst with security firm Trend Micro.
A screenshot of eBay's now-deleted post on its PayPal site.
Kate O'Flaherty
Alistair Charlton
Dan Gearino
Only on Friday did eBay post a note to its main eBay.com site , and in an abbreviated form that asked users to change their passwords but failed to mention whether financial information had also been caught up in the breach. The site also didn't force any users to change their password, allowing them to sign in as normal if they ignored its breach notification.
All of that would have been forgivable if the company had taken the no-brainer step of an immediate email blast warning users about the breach. Eva Velasquez of the non-profit Identity Theft Resource Center believes that the majority of eBay users still don't know their data has been stolen. She compares the incident to the far-more-visible breach of Target last December. "Our phone lines were blowing up with people calling about the Target breach asking what to do," she says. "This week, it’s been very quiet here."
Those serial acts of miscommunication signal that eBay, despite its role as one of the biggest ecommerce companies on the planet, may not have had a disclosure plan in place for the possibility of a breach. "For a company like eBay, this is one of the first tabletop exercises I’d ever do in an organization," says data breach consultant Kennedy. "They’re all over the place and don't seem to have prepared at all."
EBay spokesperson Amanda Christine Miller tells WIRED in an interview that the company has done its best to notify the public about its hacker attack and is emailing its 145 million users as fast as it can. "We’ve been working with law enforcement and security experts to do forensics on a global commerce platform, and we moved quickly and aggressively to investigate the matter," Miller says. "Once we knew the extent of the compromise, we undertook our disclosure and remediation plan."
When asked if eBay had such a plan in place before its breach occurred, Miller said the company has "many plans to deal with many different issues that arise."
EBay's breach by hackers occurred in late February or early March, but wasn't detected by the company until early this month. That's not a particularly long time to detection for companies that have suffered hacker intrusions. Last year's Verizon Data Breach Investigations Report found that 62% percent of breaches take "months" to discover, while only about third discover the breach within one month. But eBay, as an established internet giant, should be held to a different standard, says Trend Micro's Rik Ferguson. "For a huge global internet company with hundreds of millions of customers' information, that’s way too long."
Nor should it have taken weeks for the company to start emailing users about the possibility their data was stolen, says Paul Stephens of the Privacy Rights Clearinghouse, which keeps a database of data breach statistics. "This may be one of the largest, if not the largest data breach in history," Stephens says. "Why didn’t they immediately email their customers?"
In an interview with Reuters Friday afternoon, eBay's global marketplaces chief Devin Wenig said that the company's initial forensic investigation didn't reveal that any customer data had actually be compromised . That would partially explain the company's slow email response. But it doesn't explain its half-baked website statements, which were posted earlier.
EBay says the stolen user passwords were encrypted, but hasn't said what sort of encryption was used. That leaves open the possibility that they were hashed with a weak algorithm or that the decryption key could have also been stolen. The exposure of users' email addresses alone could allow them to be targeted with phishing attacks.
Trend Micro's Rik Ferguson points to the company's message that payment data was stored on a "separate secure network" as evidence that eBay hasn't taken seriously enough the protection of its customers' non-financial personal data. "You have to question why they’re running a two-tier system," he says. "There’s no excuse for not having encrypted the personally-identifiable information of more than a hundred million people."
Dell Cameron
Eric Geller
Makena Kelly
Ebay's data hack: what will the authorities do?
US giant under investigation
EBay has been the victim of what has been described as the 'biggest cyber-attack in history' with 233 million customers worldwide potentially being affected. Although customers' passwords remain safely encrypted, personal information including names, addresses and dates of birth have been hacked.
In the wake of this news, it has been confirmed that the Information Commissioner is working with European data authorities to take action against EBay, alongside the various investigations already underway in the US.
To help discover the implications of all this, we put some questions to legal expert Emily Carter, a partner at law firm Kingsley Napley LLP.
Tech Radar Pro: What is the Information Commissioner's Office's remit?
Emily Carter: The Information Commissioner's Office is the UK's independent authority tasked with upholding information rights in the public interest. It provides guidance on the application of the law relating to data protection and freedom of information and voluntary audits of information handling by organisations.
Where the requirements of those laws are breached, it will handle complaints and take any necessary enforcement action.
TRP: In what circumstances can the Information Commissioner's Office take action against a global internet business such as EBay?
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
EC: Christopher Graham, the Information Commissioner, confirmed on Friday that it must co-ordinate with other jurisdictions when considering a global internet company like EBay. The US Federal Trade Commission will launch an investigation because EBay is an American company.
Within Europe, the Luxembourg data protection authority will take the lead as EBay's European headquarters are in Luxembourg. However, given there are reportedly up to 14 million active UK customers affected, the Information Commissioner's Office could still take action here.
TRP: What does data protection law require companies such as EBay to do in order to protect against hacking?
EC: The seventh data protection principle requires companies to have in place "Appropriate technical and organisational measures" to guard against hacking and other unauthorised or unlawful processing of personal data. Whether security is appropriate will depend on the nature of the information in question and the harm that might result from its improper use.
Given the size and resources of a company like EBay, and considering the vast amounts of personal data within its possession, I would expect that the Information Commissioner may very quickly conclude that the only "appropriate" approach to security would be to maintain the very best and most update to data security systems available.
TRP: What sanctions are available to the Information Commissioner if Ebay has breached data protection law?
EC: The Information Commissioner is able to issue fines of up to £500,000. In a similar case last year, Sony was fined £250,000 by the Information Commisioner for not maintaining up to date security software leading to the hacking of personal data of millions of customers, which in this case included passwords and card details.
TRP: What duty does EBay have to inform customers of a problem in a timely fashion?
EC: There is currently no statutory duty upon those holding and processing personal data to inform either the Information Commissioner or the individuals affected if a security breach takes place. However, guidance issued by the Information Commisioner's Office states that in cases of serious data breach, the organisation should contact his office.
A breach will be considered serious where there is potential detriment to individuals. In this case, it appears that neither the Information Commissioner nor customers were informed for up to two weeks after the security breach was identified.
TRP: What is the potential impact of EBay's reported delay in alerting the data authorities and customers of a security breach?
EC: This is an issue which the Information Commissioner's Office can take into account when determining the appropriate level of financial penalty for the company.
Current page: Page 1
Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.
Microsoft adds more security chiefs following recent cyberattacks
FBI and CISA tell devs to crack down on security issues before releasing
Huge Nikon camera sale drops Z8, Z5, Z7 II, and more to record-low prices
Most Popular
- 2 Hackers of all kinds are attacking routers across the world
- 3 Microsoft should accept that it's time to give up on Windows 11 and throw everything at Windows 12
- 4 A key Apple Watch health feature just got a landmark stamp of approval
- 5 Samsung's best customization app for Galaxy phones is now on Google Play
- 2 Cameras are back – why they’ve grown for the first time in 13 years, despite the power of iPhone and Android phones
- 3 Angry Netflix UK and Canada fans threaten to close their accounts over permanent Basic tier removal in early June
- 4 Surprisingly cheap Pro monitor provides unique features that even Apple Studio display doesn't — AOC's new monitors offer KVM capability, a whopping 11 ports and Hollywood-grade Calman software compatibility
- 5 The Arc browser just launched and yes, it really is that good
eBay 2014 data breach: With Big Data comes Big Responsibility
With the dawn of big data in this new age of technology everything is being revolutionized. With each passing year there’s a new advancement in the field of technology, but the nascency of these advancements also give new ways for them to be exploited. Information is everything, big comp
Gaurav Singh
EXECUTIVE SUMMARY:
With the dawn of big data in this new age of technology everything is being revolutionized. With each passing year there’s a new advancement in the field of technology, but the nascency of these advancements also give new ways for them to be exploited. Information is everything, big companies like Google, Amazon, eBay, Facebook hold huge amounts of data about their customers and are a prime target for attackers. With big data comes big responsibility, corporates have to be on alert all the time. Data is valuable and crisp security measures have to be taken in order to make sure hackers don’t get their hands on it, but since the beginning there has always been a breach in a corporation or other, This paper will look into eBay which was the victim of a data breach in 2014 losing customer data of almost 145 million users, the reasons behind what went wrong and what should have been done.
INTRODUCTION
eBay is an American corporation based in California. It was founded by Pierre Omidyar in the autumn of 1995. It was an instant success and became a model for new booming internet-based businesses, by 2011 its operations have grown to 30 countries. The company works on a consumer to consumer or business to consumer model through its website and provides a wide range of services like selling goods, buying, auctioning and much more.
Being a first of its kind and being founded during the dot com bubble boom eBay grew exponentially like any other internet company. The initial IPO was $18 which went up to $53 on the first day of trading. In January 1997 it hosted 2,000,000 auctions as compared to 250,000 in 2016, by 2001 it had the largest userbase of any ecommerce site. The growth was phenomenal, eBay had established its userbase and its place in the market. With less competition around eBay bloomed like a bud.
As time went on eBay purchased PayPal its own payment option. By 2010 it had a really big network. Their database contained data about their customers, their payment info, login credentials and etc. In 2014 a group of hackers gained access to the login credentials of 3 of eBay’s employee giving them access to the internal network of eBay. The hackers used that data to login and steal the customer data of almost 145 million users from its database, payment information was not stolen as it was saved in a different location and required a different kind of access but still eBay lost a huge amount of data. What made the matter even worse, was that eBay didn’t realize for 3 months that there had even been a breach after which it started taking measures to reduce the damage. eBay was a target of multiple kinds of breaches at the same time and it lacked the security measures to prevent them from happening.
The Breach:
What happened? The credentials of 3 employees were compromised which gave the hackers an easy access to the eBay network and exfiltrate customer data including physical address, phone, date of birth, name, encrypted passwords and email (reuters.com). One of the most common way that the passwords could have been stolen was through phishing attacks also people use the same password at different platforms thus if compromise in one asset often leads to one in another.
So, once the hackers infiltrated inside the system, they had easy access to all the features and could move around without raising much suspicion. They could have pivoted between the various applications inside the infiltrated environment. For example, web applications might have granted access to credentials which in turn enabled the retrieval of user data. Thus, by moving inside the various services with the information they obtained they pulled other classes of data.
The chances for this to happen is quite high in big organizations as they have a broad range of services to offer. In eBay’s case the attack was being carried out under legitimate employee’s accounts which made it even harder to detect. There is no one security product or control that can prevent data breaches. The most reasonable means for preventing data breaches involve commonsense security practices. Which entails knowing security basics, such as using strong passwords, not opening unknown links, being aware of social hacking, applying proven malware protection and applying the necessary software patches on all systems (searchsecurity.techtarget).
The poor management of crisis at eBay is a key reason to the backlash that the company received from the public. Not only did the hackers got their hands-on eBay’s network but were also able to exfiltrate the data without timely detection. The disclosure about the breach was announced more than after 3 months after it happened. Once they found out they asked the users to reset their passwords manually. In addition, the company maintained that data relating to financial and credit card information was held in a separate encrypted database and was thus not vulnerable to such attacks. However, the decision to ask to users to change their passwords contradicted the statement that the data was protected through encryptions. The total process was handled as a joke resulting in public outcry (Troy Hunt,2014).
Aftermath. The higher the fall the more it hurts. For eBay a fall at a stage like this had huge repercussions. The result of this poor management was reflected in the diminishing customer activity over their website just after they announced the breach. In addition, they also reported a large amount of customer loss. That was not the only loss the company reported a loss of 200 million dollars in revenue. eBay had clearly made a number of mistakes before and after the breach, eBay should use this incident as a guide for the future (James Taylor,2017).
After they asked the public to change passwords there was a huge rush of traffic over their website at once which with the addition of poor management on eBay’s part led to a jam. Large amount of request started coming on their platform for which they didn’t have the tool to handle them all at once. This led to a loss of face in front of the public.
The next big question to ask is, what were the core problem inside eBay that led to such a big fiasco?
Problem Statement:
eBay faced an attack and it failed on multiple levels. The attackers exploited multiple bugs inside the system and were able to go un-noticed for almost 3 months. A company as big as eBay should have the correct preventive measures to protect itself from attacks like this also its employees didn’t have the correct training or awareness to stop such attacks. This kind of sloppiness is not expected from companies like eBay. To better understand the predicament the root of the problem needs to be comprehended. So, let take a deeper look into the problem and find how was it exactly that eBay came into the position that it was in.
Lack of proper security:
There was a total lack of security protocols. In an era where we are fast approaching to a place where 2 factor authentication has been applied everywhere but eBay didn’t have the 2FA hence the hackers could get in easily, if on the other hand they would have had it would not have been possible for them to access the internal network so easily. Lacking these basic security features is just not acceptable from a company like eBay which holds copious amount of sensitive user information.
Inadequate employee training:
The point of entry into the network was provided by none other than eBay’s own employees. Login credentials of 3 of its employees were compromised. There could have been several numbers of ways they could have done that, the most promising being phishing attacks or social hacking.
Employees should have known not to open emails and link from other users or to use different credentials for different applications and thus prevent the fire from spreading. Lack of knowledge about such basic things leads us to believe how improperly they were trained. This simple mistake which could have easily prevented led to an event which cost them millions of dollars and a loss of reputation and trust among its customers.
Lack of transparency and communication:
eBay’s lack of transparency and communication has been a huge problem for their reputation. The fact they could not detect the attack till 3 months and the with no proper timeframe for the incident led public to question eBay as to why or how the breach happened. Customer complaints were poorly handled and without proper customer service the situation was a long way from being better.
Bad customer service:
In the aftermath users ran to eBay’s website after they found out that their information has been compromised. eBay didn’t think this through and there was a surge in the traffic over the website and a whole lot of requests to be processed together at a time. This led to even further delays and it took them more time to bounce back up. Also, it took them 3 months to realize and inform the users about the attack. Such faulty detection system gave the attackers all the time they needed to get in the system and get all the data they wanted. Customers trust eBay with the sensitive information, and it is eBay’s responsibility to keep that data safe any way they can, failure in doing so cost them their business and rival businesses got a chance to grab more market share.
All these mistakes led to a loss of customers and almost $200 million in revenue for eBay and A loss of trust in its userbase which it will never be able to recover.
How could this have been prevented?
Having proper security protocols:
In this new age of technology where we have access to internet almost everywhere, eBay had very lax security measures. They didn’t even have 2 factor authentication in place when almost everywhere it had been implemented, if it were installed then it would be difficult for any outsider to gain access to the system.
Other than that, having regular checks in their system would help them recognize any intrusion within time. There should be proper antimalware installed and regular system checkup should be made compulsory.
Proper employee training:
Well written security policies for employees and proper training for them go a long way. Policies may include concepts such as the principle of least privilege, which gives employees the bare minimum amount of permission and rights to perform their duties. In addition, they should have an incident response plan that can be implemented in states of crisis or in. an event of intrusion.
Better customer service:
Having a better customer service and a team of people who know their job well enough are able to handle crisis. They should be ever ready for situation like what happened to eBay. They should have measures in place about with a quicker response time to the public in regard to its information security program and in times of crisis. Also taking better care of your customers helps grow the userbase and keeps the users happy.
Use updated software and applications:
Software’s and programs keep getting updated regularly and if we don’t follow up it gives the attackers a known path to exploit or to say a bug which they already know how to play in their favor. So, it’s important to keep updating them regularly.
These were some of the basic things which if they might have kept in check then maybe the whole attack could have been avoided.
In the age of data, security is one of the biggest concerns, whether it be any company security is a domain which can’t be taken lightly. In eBay’s case hackers got an easy entry because of the improper training and sloppiness of its employees and later the matter escalated because eBay didn’t have enough preventive measure to detect an intrusion. This negligence of concern and security cost them millions of dollars and good will which they won’t be able to make up. Also, it teaches us the lesson that it is important to take care of the small things, small protocols and preventive measures because sometimes even a small mistake might lead to something big. This was a lesson not just for eBay but for every other company that handles such copious amount of sensitive information and they should learn from the mistake so that it never happens again.
Finkle, Jim. “Exclusive: EBay Initially Believed User Data Safe after Cyberattack.” Reuters , Thomson Reuters, 23 May 2014, www.reuters.com/article/us-ebay-cybercrime/exclusive-ebay-initially-believed-user-data-safe-after-cyberattack-idUSBREA4M0PH20140523 .
Rouse, Margaret, and Kevin Ferguson. “What Is a Data Breach? Definition from WhatIs.com.” https://searchsecurity.techtarget.com/definition/data-breach .
Hunt, Troy. “The EBay Breach: Answers to the Questions That Will Inevitably Be Asked.” Troy Hunt , Troy Hunt, 21 May 2014, www.troyhunt.com/the-ebay-breach-answers-to-questions/ .
Taylor, James. “Security Breach at EBay.” Essay Typing , 5 Oct. 2017, www.essaytyping.com/security-breach-ebay/ .
Enhancing the Digital Experience for Healthcare
How Indian Media and BBC trying to fool people - Bhoot Vidya: BHU starts six-month course in paranormal science
- Cars and Vehicles
- Economics and Trade
- Entertainment
- Movies & Animation
- History and Facts
- News and Politics
- People and Nations
- Pets and Animals
- Places and Regions
- Science and Technology
- Travel and Events
© 2024 Skillsire
- Privacy Policy
- Terms of Use
Comment reported successfully.
Post was successfully added to your timeline!
You have reached your limit of 50000 friends!
File size error: The file exceeds allowed the limit (92 MB) and can not be uploaded.
Your video is being processed, We’ll let you know when it's ready to view.
Unable to upload a file: This file type is not supported.
We have detected some adult content on the image you uploaded, therefore we have declined your upload process.
Share post on a group
Share to a page, share to user.
To upload images, videos, and audio files, you have to upgrade to pro member. Upgrade To Pro
Delete your tier
Pay by wallet, delete your address, payment alert, request a refund.
- Artificial Intelligence
- Generative AI
- Business Operations
- IT Leadership
- Application Security
- Business Continuity
- Cloud Security
- Critical Infrastructure
- Identity and Access Management
- Network Security
- Physical Security
- Risk Management
- Security Infrastructure
- Vulnerabilities
- Software Development
- Enterprise Buyer’s Guides
- United States
- United Kingdom
- Newsletters
- Foundry Careers
- Terms of Service
- Privacy Policy
- Cookie Policy
- Member Preferences
- About AdChoices
- E-commerce Links
- Your California Privacy Rights
Our Network
- Computerworld
- Network World
The biggest data breach fines, penalties, and settlements so far
Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes have cost these companies a total of nearly $4.4 billion and counting..
Sizable fines assessed for data breaches in recent years suggest that regulators are getting more serious about cracking down on organizations that don’t properly protect consumer data.
Hit with a $ 1.3 billion fine for unlawfully transferring personal data from the European Union to the US, Meta tops the list of recent big-ticket sanctions, with one other ten figure fine being levied against the Chinese firm Didi Global for violating that nation’s data protection laws. The third largest penalty was the $877 million fine against Amazon in 2021 for running afoul of the General Data Protection Regulation (GDPR) in Europe.
Here are the biggest fines and penalties assessed for data breaches or non-compliance with security and privacy laws.
1. Meta (Facebook) : $1.3 Billion
In May 2023, Ireland’s Data Protection Commission (DPC) concluded an enquiry into Meta Platform Ireland Limited (“Meta Ireland”) it had initiated in Aug 2020, billing the social media giant €1.2 billion ($1.3 billion) for violation of the GDPR. With regards to the article 46(1) of the GDPR, the Irish privacy watchdog blamed Meta Ireland for the transfer of personal data from the EU or the European Economic Area (EEA) to the US without adequate data privacy safeguards in connection with the delivery of its Facebook services. Meta’s president of global affairs, Nick Clegg, said, “We intend to appeal both the decision’s substance and its orders including the fine, and will seek a stay through the courts to pause the implementation deadlines.”
2. Didi Global: $1.19 billion
Chinese ride-hailing firm Didi Global was fined 8.026 billion yuan ($1.19 billion) by the Cyberspace Administration of China after it decided that the company violated the nations’ network security law, data security law, and personal information protection law. In a statement, Didi Global said it accepted the cybersecurity regulators’ decision, which came after a year-long investigation into the firm over its security practices and “suspected illegal activities.”
3. Amazon: $877 million
In summer 2021, retail giant Amazon’s financial records revealed that officials in Luxembourg issued a €746 million (then $877 million) fine for breaches of the GDPR. Amazon was expected to be appeal the fine, with a spokesperson stating, “There has been no data breach, and no customer data has been exposed to any third party.” La Quadrature du Net, the French digital rights organization that filed the original data protection complaint against Amazon on behalf of 10,065 individual complainants in May 2018, said that was unsurprising, since its 19-page complaint targeted Amazon’s operation of a behavioral advertising system without adequate consent, and not an intermittent leak of personal data.
4. Equifax: (At least) $575 Million
2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered.
In July 2019 the credit agency agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s “failure to take reasonable steps to secure its network.”
$300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB. The settlement also requires the company to obtain third-party assessments of its information security program every two years.
“Companies that profit from personal information have an extra responsibility to protect and secure that data,” said FTC Chairman Joe Simons. “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers.”
Equifax had already been fined £500,000 [~$625,000] in the UK for the 2017 breach, which was the maximum fine allowed under the pre-GDPR Data Protection Act 1998.
In 2020, Equifax was made to pay further settlements relating to the breach: $7.75 million (plus $2 million in legal fees) to financial institutions in the US plus $18.2 million and $19.5 million to the states of Massachusetts and Indiana respectively.
5. Meta (Facebook, Instagram): $ 413 million
Concluding two enquiries made into Meta’s data processing operations in the European regions, commencing on the day GDPR came into operations (25 May, 2018), the Irish Data Protection Commission (DPC) announced in January 2023 that it found Meta platforms in breach of the GDPR “in connection with the delivery of its Facebook and Instagram services”. Meta Ireland was fined €210 million ($ 225 million) , for Facebook violations, and and €180 million ($ 193 million) for Instagram violations.
Meta’s data processing operations with regards to Facebook and Instagram services were found in violations of several articles of the GDPR, including 5 (1) a) , 6 (1), 12 , and 13 (1) c), relating to the breach of transparency and information obligations.
6. Instagram: $403 million
In September 2022, Ireland’s Data Protection Commissioner (DPC) fined Instagram for violating children’s privacy under the terms of the GDPR. The long-running complaint concerned data belonging to minors, particularly phone numbers and email addresses, which was made more public when some young users upgraded their profiles to business accounts to access analytics tools such as profile visits.
Instagram’s owner, Meta, said it planned to appeal against the decision. “This inquiry focused on old settings that we updated over a year ago and we’ve since released many new features to help keep teens safe and their information private,” a Meta official told BBC News . “While we’ve engaged fully with the DPC throughout their inquiry, we disagree with how this fine was calculated and intend to appeal it.”
Andy Burrows, child-safety-online policy head at the National Society for the Prevention of Cruelty to Children (NSPCC) said, “This was a major breach that had significant safeguarding implications and the potential to cause real harm to children using Instagram. The ruling demonstrates how effective enforcement can protect children on social media and underlines how regulation is already making children safer online.”
7. TikTok: €345 million ($370 million)
In September 2023, TikTok was handed a €345 million ($370 million) fine by the Irish Data Protection Commission (DPC) for violating children’s data privacy, under GDPR law. The DPC found that TikTok had not been transparent enough with children about its privacy settings, and raised questions about how their data was processed.
The inquiry sought to examine the extent to which, during the period between July 31 2020 and December 31 2020, TikTok complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the TikTok platform in the context of:
- Certain TikTok platform settings, including public-by-default settings as well as the settings associated with the Family Pairing feature.
- Age verification as part of the registration process.
“As part of the inquiry, the DPC also examined certain of TTL’s transparency obligations, including the extent of information provided to child users in relation to default settings,” the IDC said. The DPC’s decision, which was adopted on September 1, 2023, recorded findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e) and 5(1)(a) GDPR, relating to a range of matters including data security, data protection by design, and data processing.
A spokesperson for the social media firm told media outlets, “We respectfully disagree with the decision, particularly the level of the fine imposed.”
8. T-Mobile: $350 million
In July 2022, mobile communications giant T-Mobile announced the terms of a settlement for a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. The incident centered around “unauthorized access” to T-Mobile’s systems after a portion of customer data was listed for sale on a known cybercriminal forum. In an SEC filing , it was revealed that T-Mobile would pay an aggregate of $350 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement. The company would also commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023.
“The company anticipates that, upon court approval, the settlement will provide a full release of all claims arising out of the cyberattack by class members, who do not opt out, against all defendants, including the company, its subsidiaries and affiliates, and its directors and officers,” the filing read. “The settlement contains no admission of liability, wrongdoing or responsibility by any of the defendants. Class members consist of all individuals whose personal information was compromised in the breach, subject to certain exceptions set forth in the agreement. The company believes that terms of the proposed settlement are in line with other settlements of similar types of claims,” it added.
9. Meta (Facebook): $277 million
In November 2022, the Ireland Data Protection Commission (DPC) fined Meta $277 million (€265 million) for the compromise of 500 million users’ personal information. The DPC started its inquiry on April 14, 2021, following reports of a collated data set of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited (“MPIL”) during the period between May 25, 2018, and September 2019. “The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,” the DPC wrote. “The DPC examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept). There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC.”
The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.
10. WhatsApp: $255 million
Facebook-owned messaging service WhatsApp was fined €225 million ($255 million) in August 2021 for a series of GDPR cross-border data protection infringements in Ireland. The fine followed a lengthy investigation and enforcement process which began in 2018 and involved the Data Protection Commission’s proposed decision and sanctions being rejected by its counterpart European data protection regulators, resulting in a referral to and ruling from the European Data Protection Board. Allegations focused on complaints from users and non-users of WhatsApp’s services, involving alleged breaches of transparency and data subject information obligations under articles 12, 13 and 14 of the GDPR.
11. Home Depot: ~$200 million
In 2014 Home Depot was involved in one of the largest data breaches to date involving a point-of-sale (POS) system, leading to a number of fines and settlements being paid. Stolen credentials from a third party enabled attackers to enter Home Depot’s network, elevate privileges, and eventually compromise the POS system. More than 50 million credit card numbers and 53 million email addresses were stolen over a five-month period between April and September 2014.
Home Depot has reportedly paid out at least $134.5 million to credit card companies and banks as a result of the breach. In addition, in 2016 Home Depot agreed to pay $19.5 million to customers that had been affected by the breach, which included the cost of credit monitoring services to breach victims. In 2017 the firm agreed to pay an additional $25 million to the financial institutions affected by the breach that could be claimed by victims and cover banks’ losses.
Breaches can have a longtail of costs, especially when it comes to fines and settlements. In November 2020, the retailer paid a further $17.5 million settlement to 46 US states and Washington DC for the breach. The agreement also compels Home Depot to employ a highly qualified CISO, provide security training for key personnel, and ensure security controls and policies in areas like identity and access, monitoring, and incident response.
12. Capital One: $190 million
In December 2021, Capital One agreed to pay $190 million to settle a class-action lawsuit filed against it by U.S. customers over a 2019 data breach that affected 100 million people. This settlement comes more than a year after the U.S. Office of the Comptroller of the Currency fined Capital One $80 million for the same breach (see below).
A software engineer at AWS was behind the attack, which exposed information including bank account details. “While Capital One and AWS deny all liability, in the interest of avoiding the time, expense and uncertainty of continued litigation, plaintiffs and Capital One have executed a term sheet containing the essential terms of a class settlement that, if approved by this court, will fully resolve all claims brought by plaintiffs,” a filing with the U.S. District Court for the Eastern District of Virginia read. In an emailed statement, Capital One said that key facts in the case had not changed since it announced the event in coordination with federal authorities more than two years ago, with the hacker arrested and the stolen data recovered before it could be disseminated or used for fraudulent purposes. “We are pleased to have reached an agreement that will resolve the consumer class litigation in the U.S.,” the company added.
13. Uber: $148 million
In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 — the biggest data-breach fine in history at the time — for violation of state data breach notification laws.
14. Morgan Stanley: $120 million (total)
In January 2022, investment bank and financial services giant Morgan Stanley agreed to pay $60 million to settle a legal claim relating to its data security. The agreement, if approved by a federal judge in Manhattan, will resolve a class-action lawsuit was that filed against the company in July 2020 regarding two security breaches that compromised the personal data of approximately 15 million customers. According to claimants, Morgan Stanley failed to protect the personally identifiable information (PII) of current and former clients. It is alleged data center equipment decommissioned by the firm in 2016 and 2019 was not efficiently wiped clean and a software flaw meant that unencrypted, sensitive data was visible to whoever purchased the equipment.
The proposed claim settlement comes more than a year after Morgan Stanley was handed a separate $60 million civil penalty by the Office of the Comptroller of the Currency (OCC) in relation to the same incidents. The OCC stated that Morgan Stanley failed “to exercise proper oversight of the 2016 decommissioning of two Wealth Management business data centers located in the U.S. Among other things, the banks failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.” In 2019, the banks experienced similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data, the OCC added.
In a statement on the recent settlement agreement, Morgan Stanley said: “We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation.”
15. Google Ireland: $102 million
Google Ireland was hit by a €90 million ($102 million) fine by French data protection authority the CNIL on January 6, 2022. The fine related to how Google’s European arm implements cookie consent procedures on YouTube. “The CNIL has received many complaints about the way cookies can be refused on the websites google.fr and youtube.com,” it wrote . “In June 2021, the CNIL carried out an online investigation on these websites and found that, while they offer a button allowing immediate acceptance of cookies, the sites do not implement an equivalent solution (button or other) enabling the user to refuse the deposit of cookies equally easily. Several clicks are required to refuse all cookies, against a single one to accept them.” The restricted committee considered that this process affected the freedom of consent of internet users and constituted an infringement of Article 82 of the French Data Protection Act.
Editor’s note: This article, originally published in July 2019, is frequently updated as new information on incident penalties becomes available.
Related content
What is iam identity and access management explained, most interesting products to see at rsac 2024, google launches google threat intelligence at rsa conference, search + rag: the 1-2 punch transforming the modern soc with ai-driven security analytics, from our editors straight to your inbox.
Shweta Sharma is a senior journalist covering enterprise information security and digital ledger technologies for IDG’s CSO Online, Computerworld, and other enterprise sites.
More from this author
Germany blames russian hackers for months-long cyber espionage, cisa, fbi urge developers to patch path traversal bugs before shipping, iranian hackers harvest credentials through advanced social engineering campaigns, securiti adds distributed llm firewalls to secure genai applications.
Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.
If you don’t already have a generative AI security policy, there’s no time to lose
Bigid unveils new data risk remediation guidance feature, generative ai could erode customer trust, half of business leaders say, most popular authors.
Show me more
Download the zero trust network access (ztna) enterprise buyer’s guide.
AI governance and cybersecurity certifications: Are they worth it?
Microsoft continues to add, shuffle security execs in the wake of security incidents
CSO Executive Sessions: The personality of cybersecurity leaders
CSO Executive Sessions: Geopolitical tensions in the South China Sea - why the private sector should care
CSO Executive Sessions: 2024 International Women's Day special
Sponsored Links
- Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.
American Bar Association defeats members' lawsuit over data breach
- Medium Text
- Company American Bar Association Follow
Sign up here.
Reporting by Sara Merken
Our Standards: The Thomson Reuters Trust Principles. New Tab , opens new tab
Thomson Reuters
Sara Merken reports on the business of law, including legal innovation and law firms in New York and nationally.
Read Next / Editor's Picks
Industry Insight Chevron
Mike Scarcella, David Thomas
Karen Sloan
Henry Engler
Diana Novak Jones
IMAGES
COMMENTS
What is worrying is the way eBay seems to have tried to play down this event. It emphasised that the hackers only obtained a "small number" of employee login credentials - but the theft of ...
The case under investigation occurred in the summer of 2014 when one of the most popular trading platforms on the Internet was attacked by virtual intruders (Meyer, 2017). According to Meyer (2017), "the company had 145 million user accounts compromised" (p. 11). Such a large number of affected people could not go unnoticed, and the eBay ...
Dealing With The Security Breach One of the most concerning aspects about this case is the timeline. It seems remarkable that eBay did not detect the breach sooner, something that may indicate a hacking operation of particular skill (equally, it could mean that eBay's database security is not fit for purpose).
Hack attack at eBay. EBay said that hackers raided its network three months ago, accessing some 145 million user records in what is poised to go down as one of the biggest data breaches in history ...
The authors briefly summarize and discuss the 2014 eBay data breach, a malicious action which hackers brought upon the sales channel through various phishing attacks. This case study defines phishing attacks and presents techniques which one can use to avoid being a victim of them.
Justin Sullivan/Getty Images. SAN FRANCISCO — In the latest prominent breach of a company's computer network, hackers have infiltrated the online marketplace eBay, gaining access to the ...
The best way to avoid this is to access eBay directly, and reset you password on the website. Once eBay has their notification system in place, when you access the website, you'll be prompted to ...
EBay Inc said that hackers raided its network three months ago, accessing some 145 million user records in what is poised to go down as one of the biggest data breaches in history, based on the ...
EBay Inc initially believed that its customers' data was safe as forensic investigators reviewed a network security breach discovered in early May and made public this week, a senior executive ...
The attack on eBay demonstrates the vulnerability even of well-established sites with strong security teams and no history of prior data breaches. "I don't remember any time that [eBay's ...
By Jim Finkle and Deepa Seetharaman BOSTON/SAN FRANCISCO (Reuters) - EBay Inc initially believed that its customers' data was safe as forensic investigators reviewed a network security breach discovered in early May and made public this week, a senior executive told Reuters on Friday. EBay has come under fire over its handling of the cyberattack, in which hackers accessed personal data of all ...
The Ebay data breach is a case study that sheds light on the importance of cybersecurity and highlights the consequences of inadequate network security. Background on the Ebay Data Breach. Magnitude. The Ebay data breach, which occurred in 2014, is considered one of the largest cyberattacks in history, affecting approximately 145 million users. ...
BOSTON/NEW YORK (Reuters) - EBay Inc came under pressure on Thursday over a massive hacking of customer data as three U.S. states began investigating the e-commerce company's security practices ...
Just select the time and date that works for you: Case study of eBay Inc.'s data breach from May 2014 which was one of 2014's biggest hacks. The online auction giant disclosed that names, addresses, dates of birth and encrypted passwords of 145 million users were exposed. Financial information which was stored separately was not compromised.
The cyber-attack on eBay is poised to go down as one of the biggest data breaches in history, with experts warning that even after users have changed their passwords the breach could have ...
Fallout. eBay criticized for not informing customers of data breach quickly enough. They took 2 weeks after the discovering the breach. Users were advised to change passwords. Three US States (Florida, Illinois, Connecticut) launched a joint investigation into the attack, with the Federal Trade Commission (FTC)
To Ask eBay Users To Change Passwords. eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence ...
EBay Demonstrates How Not to Respond to a Huge Data Breach. Losing control of more than a hundred million customers' information is an increasingly common corporate crisis. Flubbing the public ...
CASE STUDY: EBAY DATA BREACH. By. Name of the Class (Course) Professor (Tutor) Name of the University The City and State of University Date. ABSTRACT. The eBay attack is arguably one of the major data breaches of the 21st century. It is said to have occurred due to leakage of employees' credentials because of a breach method called spear ...
The US Federal Trade Commission will launch an investigation because EBay is an American company. Within Europe, the Luxembourg data protection authority will take the lead as EBay's European ...
This is true, too, in e-commerce, as one of the industry's longtime giants in marketplace eBay can personally attest to. Now over eight years ago, in February/March 2014, the e-commerce mainstay suffered a severe data breach as a result of a cyber attack - resulting in a whopping 145 million users, the marketplace's entire user base at ...
Information is everything, big comp. eBay 2014 data breach: With Big Data comes Big Responsibility. Gaurav Singh. EXECUTIVE SUMMARY: With the dawn of big data in this new age of technology everything is being revolutionized. With each passing year there's a new advancement in the field of technology, but the nascency of these advancements ...
Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes have cost these companies a total of nearly $4.4 billion and counting. Sizable fines assessed for data breaches in ...
The American Bar Association on Tuesday won its bid to toss a proposed class action over a 2023 data breach that exposed the personal information of about 1.5 million lawyers and others.