eBay Hacked - Would you believe John Donahoe offered credit protection?
EventHorizon1984
22 May 2014
“You eat danger for breakfast”
“Would you believe lunch?” Zach Smart
“Don't do that.” Chief Maxwell Smart
Get Smart (1995)
eBay INC made an interesting press release on 21 May 2014. eBay INC stated:
"SAN JOSE, Calif.--(BUSINESS WIRE)-- eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.
Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
The database, which was compromised between late February and early March, included eBay customers' name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company's announcement today.
The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.
Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBaypassword, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts."
A matter of fact, 'don't panic', 'nothing to see here' statement. Then came the scrutiny.
“No more secrets, Marty.”
Cosmo, Sneakers (1992)
The press release did not mention the extent of the "compromised" database. Although on 21 May 2014 eBay INC clarified:
And on 22 May 2014 eBay INC provided more clarification:
EBay hack, 2nd largest in U.S. history, leaves questions unanswered
Chicago Tribune, Reuters, 22 May 2014
“EBay Inc's description of how hackers got access to its entire database of 145 million user records leaves many questions unanswered as to how cyber criminals orchestrated what appears to be the second-biggest data breach in U.S. history.”
"“They've been pretty tightlipped. They've barely provided any information. They should be more forthcoming about what happened,” said David Kennedy, chief executive of TrustedSEC LLC, an expert in investigating data breaches.
In particular, Kennedy wants to know why it took eBay three months to detect the intrusion."
"Missed it by that much"
Maxwell Smart (Don Adams), Get Smart
“The day ain’t over yet…”
Curly, City Slickers (1991)
In eBay INC's press release they promised, "Beginning later today, eBay users will be notified via email." Has any reader received any email warning of the database breach? Apparently that email has yet to be sent.
And what did the "145 million user"s affected by the database incursion immediately see?
U.S. states probe eBay cyber attack as customers complain
Reuters, 22 May 2014
The eBay Hack: They Haven't Only Hacked Your Security, They've Hacked Your Brand
Patrick Hanion, Forbes, 22 May 2014
"The eBay Hack" brings to mind the recent Target INC hack.
Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It
Michael Riley, Ben Elgin, Dune Lawrence, Carol Matlack, Businessweek, 13 March 2014
"The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target’s (TGT) security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores."
"On Saturday, Nov. 30, the hackers had set their traps"
"Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes."
"More than 90 lawsuits have been filed against Target by customers and banks for negligence and compensatory damages. That's on top of other costs, which analysts estimate could run into the billions."
The time between hack and notification?
"Federal investigators warned Target of a massive data breach on Dec. 12."
Note this is not Target INC notifying it's customers. It's the U.S. Government notifying Target INC.
Notification to consumers was much much later.
14 January 2014 |
Dear Target Guest, As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion. |
I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014. |
In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you:
|
Target’s email communication regarding this incident will never ask you to provide personal or sensitive information. |
Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680. |
Gregg Steinhafel |
Chairman, President and CEO |
Compare and contrast the actions and timeline of Target INC and CEO Gregg Steinhafel to eBay INC and CEO John Donahoe.
Time from breach to customer notification.
- Target Inc, customer emails, 1 month +
- eBay Inc, Press Release, 2-3 months
Message from CEO to customers.
- Target Inc, 1 month +
- eBay Inc, none
Credit protection.
- Target Inc, "Target is offering one year of free credit monitoring"
- eBay Inc, none
While eBay INC has stated,"no evidence of unauthorized access or compromises to personal or financial information", one may or may not want to take that with a grain of salt.
EBay's Miller said the information was not authentic.
If eBay INC can't identify it's own users, what assurance is there that eBay INC can identify the condition of it's own data.
The fate of Target INC CEO Gregg Steinhafe?
Target's CEO Steps Down Following The Massive Data Breach And Canadian Debacle
Forbes, 8 May 2014
“Target CEO, President and Chairman Gregg Steinhafel resigned from all his positions after extensive discussions with the board.”
“I’ve never seen worse corporate governance than eBay”
Carl Icahn, 5 March 2014
The fate of eBay INC CEO John Donahoe remains to be seen.
/*
“And because of current synergies, a lot of data is traded between eBay and PayPal.” JP Mangalindan, Fortune
“Why would you divide up the data?! Everyone is paying millions to get to the data. Why would you divide up the data?”
John Donahoe, 10 March 2014
/*
eBay Seller -$19,250 - eBay Buyer -$1.44 - eBay 0
eBay Seller -$19,250 - eBay Buyer -$1.44 - eBay 0
EventHorizon1984
8 September 2015
MED EXPRESS, INC. vs. AMY NICHOLS, et al.
Case No.: 13CIV0351 13CIV0352
Court of Common Pleas, Medina County, Ohio
“The Plaintiff's conduct consisted of allegations or other factual contentions that had no evidentiary support or, if specifically so identified, were not likely to have evidentiary support after a reasonable opportunity for further investigation or discovery. Again, Mr. Rudy had no objective evidence suggesting the statements of fact made by the Defendants were not true. Furthermore, the Plaintiff misrepresented the matter in the pleadings and to the court."
Magistrate James R. Leaver, August 31 2015, Court of Common Pleas, Ohio
Ars Technica posted the article "eBay seller who sued over negative feedback dinged $19K in legal fees" "Judge didn't find Med Express founder's testimony credible" on September 3 2015. The article began with:
"When Med Express sued Amy Nicholls for giving negative feedback on eBay, she didn't back down and remove the feedback. Instead, she lawyered up"
As can be seen in the Court document, and the Ars Technica article, things did not go well with "Med Express founder Richard Radey" and his attorney.
Beginning with this statement in the first paragraph of the "Magistrate's Decision":
"On July 6, 2015, counsel for the Plaintiff filed a motion to withdraw from the representation of the Plaintiff citing irreconcilable differences with the client."
The action that started the legal snowball moving?
“Okay kids. This is where it gets complicated.”
Amy Pond, Doctor Who, Time (2011)
Indeed. The Court record, as signed by Magistrate James R. Leaver, states:
Leading to, as signed by Magistrate James R. Leaver:
Which lead to more Court action, as signed by Magistrate James R. Leaver:
Ars Technica noted:
Moving along to the sanctions portion, "The matter proceeded to oral evidentiary hearing before the undersigned Magistrate on April 2, 2015":
A few tidbits from Magistrate James R. Leaver's Conclusion of Law:
There was one bright spot, for the Plaintiff's lawyers James Amodio and Richard Cardenas:
“What is the moral?
Must be a moral.
Here is the moral, wrong or right: Morals tomorrow!
Comedy, comedy, comedy, comedy,
Comedy, comedy, comedy, comedy tonight!”
A Funny Thing Happened on the Way to the Forum (1966)
The moral? Well, don't sue eBay INC.
According to the court document, Amy Nichols never did get the $1.44 refund.
/*
“Section 11, Article I of the Ohio Constitution provides in relevant part: Every citizen may freely speak, write, and publish his sentiments on all subjects, being responsible for the abuse of the right; and no law shall be passed to restrain or abridge the liberty of speech, or of the press."
Magistrate James R. Leaver, 2015
“Take it easy, lad. Everybody's entitled to an opinion.”
Montgomery Scott, The Trouble With Tribbles, 1967
//
Posted at 15:18 in Business, Commentary, eBay, eBay Customer Service, Legal | Permalink | Comments (0)
Tags: 13CIV0351, 13CIV0352, Amy Nichols, Ars Technica, Court action, Denis Rogan, Draper, eBay, eBay buyer, eBay customer service, eBay seller, James R. Leaver, Med Express, Med Express Inc vs Amy Nichols et al, Medina County, Ohio, Public Citizen, Rebakah Long, Richard Radey, Utah
| Reblog (0)