eBay 2014 data breach: With Big Data comes Big Responsibility
With the dawn of big data in this new age of technology everything is being revolutionized. With each passing year there’s a new advancement in the field of technology, but the nascency of these advancements also give new ways for them to be exploited. Information is everything, big companies like Google, Amazon, eBay, Facebook hold huge amounts of data about their customers and are a prime target for attackers. With big data comes big responsibility, corporates have to be on alert all the time. Data is valuable and crisp security measures have to be taken in order to make sure hackers don’t get their hands on it, but since the beginning there has always been a breach in a corporation or other, This paper will look into eBay which was the victim of a data breach in 2014 losing customer data of almost 145 million users, the reasons behind what went wrong and what should have been done.
eBay is an American corporation based in California. It was founded by Pierre Omidyar in the autumn of 1995. It was an instant success and became a model for new booming internet-based businesses, by 2011 its operations have grown to 30 countries. The company works on a consumer to consumer or business to consumer model through its website and provides a wide range of services like selling goods, buying, auctioning and much more.
Being a first of its kind and being founded during the dot com bubble boom eBay grew exponentially like any other internet company. The initial IPO was $18 which went up to $53 on the first day of trading. In January 1997 it hosted 2,000,000 auctions as compared to 250,000 in 2016, by 2001 it had the largest userbase of any ecommerce site. The growth was phenomenal, eBay had established its userbase and its place in the market. With less competition around eBay bloomed like a bud.
As time went on eBay purchased PayPal its own payment option. By 2010 it had a really big network. Their database contained data about their customers, their payment info, login credentials and etc. In 2014 a group of hackers gained access to the login credentials of 3 of eBay’s employee giving them access to the internal network of eBay. The hackers used that data to login and steal the customer data of almost 145 million users from its database, payment information was not stolen as it was saved in a different location and required a different kind of access but still eBay lost a huge amount of data. What made the matter even worse, was that eBay didn’t realize for 3 months that there had even been a breach after which it started taking measures to reduce the damage. eBay was a target of multiple kinds of breaches at the same time and it lacked the security measures to prevent them from happening.
What happened? The credentials of 3 employees were compromised which gave the hackers an easy access to the eBay network and exfiltrate customer data including physical address, phone, date of birth, name, encrypted passwords and email (reuters.com). One of the most common way that the passwords could have been stolen was through phishing attacks also people use the same password at different platforms thus if compromise in one asset often leads to one in another.
So, once the hackers infiltrated inside the system, they had easy access to all the features and could move around without raising much suspicion. They could have pivoted between the various applications inside the infiltrated environment. For example, web applications might have granted access to credentials which in turn enabled the retrieval of user data. Thus, by moving inside the various services with the information they obtained they pulled other classes of data.
The chances for this to happen is quite high in big organizations as they have a broad range of services to offer. In eBay’s case the attack was being carried out under legitimate employee’s accounts which made it even harder to detect. There is no one security product or control that can prevent data breaches. The most reasonable means for preventing data breaches involve commonsense security practices. Which entails knowing security basics, such as using strong passwords, not opening unknown links, being aware of social hacking, applying proven malware protection and applying the necessary software patches on all systems (searchsecurity.techtarget).
The poor management of crisis at eBay is a key reason to the backlash that the company received from the public. Not only did the hackers got their hands-on eBay’s network but were also able to exfiltrate the data without timely detection. The disclosure about the breach was announced more than after 3 months after it happened. Once they found out they asked the users to reset their passwords manually. In addition, the company maintained that data relating to financial and credit card information was held in a separate encrypted database and was thus not vulnerable to such attacks. However, the decision to ask to users to change their passwords contradicted the statement that the data was protected through encryptions. The total process was handled as a joke resulting in public outcry (Troy Hunt,2014).
Aftermath. The higher the fall the more it hurts. For eBay a fall at a stage like this had huge repercussions. The result of this poor management was reflected in the diminishing customer activity over their website just after they announced the breach. In addition, they also reported a large amount of customer loss. That was not the only loss the company reported a loss of 200 million dollars in revenue. eBay had clearly made a number of mistakes before and after the breach, eBay should use this incident as a guide for the future (James Taylor,2017).
After they asked the public to change passwords there was a huge rush of traffic over their website at once which with the addition of poor management on eBay’s part led to a jam. Large amount of request started coming on their platform for which they didn’t have the tool to handle them all at once. This led to a loss of face in front of the public.
The next big question to ask is, what were the core problem inside eBay that led to such a big fiasco?
eBay faced an attack and it failed on multiple levels. The attackers exploited multiple bugs inside the system and were able to go un-noticed for almost 3 months. A company as big as eBay should have the correct preventive measures to protect itself from attacks like this also its employees didn’t have the correct training or awareness to stop such attacks. This kind of sloppiness is not expected from companies like eBay. To better understand the predicament the root of the problem needs to be comprehended. So, let take a deeper look into the problem and find how was it exactly that eBay came into the position that it was in.
Lack of proper security:
There was a total lack of security protocols. In an era where we are fast approaching to a place where 2 factor authentication has been applied everywhere but eBay didn’t have the 2FA hence the hackers could get in easily, if on the other hand they would have had it would not have been possible for them to access the internal network so easily. Lacking these basic security features is just not acceptable from a company like eBay which holds copious amount of sensitive user information.
Inadequate employee training:
The point of entry into the network was provided by none other than eBay’s own employees. Login credentials of 3 of its employees were compromised. There could have been several numbers of ways they could have done that, the most promising being phishing attacks or social hacking.
Employees should have known not to open emails and link from other users or to use different credentials for different applications and thus prevent the fire from spreading. Lack of knowledge about such basic things leads us to believe how improperly they were trained. This simple mistake which could have easily prevented led to an event which cost them millions of dollars and a loss of reputation and trust among its customers.
Lack of transparency and communication:
eBay’s lack of transparency and communication has been a huge problem for their reputation. The fact they could not detect the attack till 3 months and the with no proper timeframe for the incident led public to question eBay as to why or how the breach happened. Customer complaints were poorly handled and without proper customer service the situation was a long way from being better.
Bad customer service:
In the aftermath users ran to eBay’s website after they found out that their information has been compromised. eBay didn’t think this through and there was a surge in the traffic over the website and a whole lot of requests to be processed together at a time. This led to even further delays and it took them more time to bounce back up. Also, it took them 3 months to realize and inform the users about the attack. Such faulty detection system gave the attackers all the time they needed to get in the system and get all the data they wanted. Customers trust eBay with the sensitive information, and it is eBay’s responsibility to keep that data safe any way they can, failure in doing so cost them their business and rival businesses got a chance to grab more market share.
All these mistakes led to a loss of customers and almost $200 million in revenue for eBay and A loss of trust in its userbase which it will never be able to recover.
How could this have been prevented?
Having proper security protocols:
In this new age of technology where we have access to internet almost everywhere, eBay had very lax security measures. They didn’t even have 2 factor authentication in place when almost everywhere it had been implemented, if it were installed then it would be difficult for any outsider to gain access to the system.
Other than that, having regular checks in their system would help them recognize any intrusion within time. There should be proper antimalware installed and regular system checkup should be made compulsory.
Proper employee training:
Well written security policies for employees and proper training for them go a long way. Policies may include concepts such as the principle of least privilege, which gives employees the bare minimum amount of permission and rights to perform their duties. In addition, they should have an incident response plan that can be implemented in states of crisis or in. an event of intrusion.
Better customer service:
Having a better customer service and a team of people who know their job well enough are able to handle crisis. They should be ever ready for situation like what happened to eBay. They should have measures in place about with a quicker response time to the public in regard to its information security program and in times of crisis. Also taking better care of your customers helps grow the userbase and keeps the users happy.
Use updated software and applications:
Software’s and programs keep getting updated regularly and if we don’t follow up it gives the attackers a known path to exploit or to say a bug which they already know how to play in their favor. So, it’s important to keep updating them regularly.
These were some of the basic things which if they might have kept in check then maybe the whole attack could have been avoided.
In the age of data, security is one of the biggest concerns, whether it be any company security is a domain which can’t be taken lightly. In eBay’s case hackers got an easy entry because of the improper training and sloppiness of its employees and later the matter escalated because eBay didn’t have enough preventive measure to detect an intrusion. This negligence of concern and security cost them millions of dollars and good will which they won’t be able to make up. Also, it teaches us the lesson that it is important to take care of the small things, small protocols and preventive measures because sometimes even a small mistake might lead to something big. This was a lesson not just for eBay but for every other company that handles such copious amount of sensitive information and they should learn from the mistake so that it never happens again.
Finkle, Jim. “Exclusive: EBay Initially Believed User Data Safe after Cyberattack.” Reuters, Thomson Reuters, 23 May 2014, www.reuters.com/article/us-ebay-cybercrime/exclusive-ebay-initially-believed-user-data-safe-after-cyberattack-idUSBREA4M0PH20140523.
Rouse, Margaret, and Kevin Ferguson. “What Is a Data Breach? Definition from WhatIs.com.” https://searchsecurity.techtarget.com/definition/data-breach.
Hunt, Troy. “The EBay Breach: Answers to the Questions That Will Inevitably Be Asked.” Troy Hunt, Troy Hunt, 21 May 2014, www.troyhunt.com/the-ebay-breach-answers-to-questions/.
Taylor, James. “Security Breach at EBay.” Essay Typing, 5 Oct. 2017, www.essaytyping.com/security-breach-ebay/.