eBay Hacked - Would you believe John Donahoe offered credit protection?
22 May 2014
“You eat danger for breakfast”
“Would you believe lunch?” Zach Smart
“Don't do that.” Chief Maxwell Smart
Get Smart (1995)
eBay INC made an interesting press release on 21 May 2014. eBay INC stated:
A matter of fact, 'don't panic', 'nothing to see here' statement. Then came the scrutiny.
“No more secrets, Marty.”
Cosmo, Sneakers (1992)
The press release did not mention the extent of the "compromised" database. Although on 21 May 2014 eBay INC clarified:
""For the time being, we cannot comment on the specific number of accounts impacted. However, we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords," eBay spokeswoman Kari Ramirez said."
And on 22 May 2014 eBay INC provided more clarification:
EBay hack, 2nd largest in U.S. history, leaves questions unanswered
Chicago Tribune, Reuters, 22 May 2014
“EBay Inc's description of how hackers got access to its entire database of 145 million user records leaves many questions unanswered as to how cyber criminals orchestrated what appears to be the second-biggest data breach in U.S. history.”
"“They've been pretty tightlipped. They've barely provided any information. They should be more forthcoming about what happened,” said David Kennedy, chief executive of TrustedSEC LLC, an expert in investigating data breaches.
In particular, Kennedy wants to know why it took eBay three months to detect the intrusion."
"Missed it by that much"
Maxwell Smart (Don Adams), Get Smart
“The day ain’t over yet…”
Curly, City Slickers (1991)
In eBay INC's press release they promised, "Beginning later today, eBay users will be notified via email." Has any reader received any email warning of the database breach? Apparently that email has yet to be sent.
"Some customers complained on eBay Community forums that they had not received much information about the breach from eBay and have yet to get notifications by email, which the company has promised to do."
And what did the "145 million user"s affected by the database incursion immediately see?
U.S. states probe eBay cyber attack as customers complain
Reuters, 22 May 2014
The eBay Hack: They Haven't Only Hacked Your Security, They've Hacked Your Brand
Patrick Hanion, Forbes, 22 May 2014
"The eBay Hack" brings to mind the recent Target INC hack.
Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It
Michael Riley, Ben Elgin, Dune Lawrence, Carol Matlack, Businessweek, 13 March 2014
"The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores."
"On Saturday, Nov. 30, the hackers had set their traps"
"Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes."
"More than 90 lawsuits have been filed against Target by customers and banks for negligence and compensatory damages. That's on top of other costs, which analysts estimate could run into the billions."
The time between hack and notification?
Note this is not Target INC notifying it's customers. It's the U.S. Government notifying Target INC.
Notification to consumers was much much later.
|14 January 2014|
Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
|I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.|
|In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
|Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.|
|Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.|
|Chairman, President and CEO|
Compare and contrast the actions and timeline of Target INC and CEO Gregg Steinhafel to eBay INC and CEO John Donahoe.
Time from breach to customer notification.
- Target Inc, customer emails, 1 month +
- eBay Inc, Press Release, 2-3 months
Message from CEO to customers.
- Target Inc, 1 month +
- eBay Inc, none
- Target Inc, "Target is offering one year of free credit monitoring"
- eBay Inc, none
While eBay INC has stated,"no evidence of unauthorized access or compromises to personal or financial information", one may or may not want to take that with a grain of salt.
"Someone posted a batch of emails, scrambled passwords, phone numbers and addresses of more than 12,000 people on the Internet, saying it was a sample of data stolen from eBay and offering to sell the full batch for 1.453 bitcoin, or a little more than $750.
If eBay INC can't identify it's own users, what assurance is there that eBay INC can identify the condition of it's own data.
The fate of Target INC CEO Gregg Steinhafe?
Target's CEO Steps Down Following The Massive Data Breach And Canadian Debacle
Forbes, 8 May 2014
“Target CEO, President and Chairman Gregg Steinhafel resigned from all his positions after extensive discussions with the board.”
“I’ve never seen worse corporate governance than eBay”
Carl Icahn, 5 March 2014
The fate of eBay INC CEO John Donahoe remains to be seen.
“And because of current synergies, a lot of data is traded between eBay and PayPal.” JP Mangalindan, Fortune
“Why would you divide up the data?! Everyone is paying millions to get to the data. Why would you divide up the data?”
John Donahoe, 10 March 2014