e-bay Security Practices under investigation by US States
Published on: 5/22/2014
eBay came under pressure on Thursday over a massive cyber attack, as three US states began investigating the e-commerce company's security practices.
Connecticut, Florida and Illinois said they were conducting a joint investigation of the matter. New York attorney general Eric Schneiderman requested eBay provide free credit monitoring for everyone affected, according to a person familiar with the matter.
Details about what happened are unclear because eBay has provided few details about the attack, which is under investigation by the FBI and a cyber-forensics firm. It is also unclear what legal oversight the states had to respond to eBay's handling of matter
The states' quick move to investigate the attack shows that authorities are serious about holding companies accountable for securing consumer data following high-profile breaches at other companies, including retailers Target, Neiman Marcus and Michaels Stores and the credit monitoring bureau Experian.
Congress and the Federal Trade Commission are investigating the Target breach, which resulted in the firing of the company's chief executive and chief information officer.
"There is definitely a climate shift," said Jamie Court, president of the consumer advocacy group Consumer Watchdog. "The departure of the Target CEO over the problem signals inside the board room and in the halls of government that these are betrayals of customers and that they won't be tolerated."
EBay shares were down 1.3% in afternoon Nasdaq trade, compared with a 0.6% increase in the Nasdaq Composite Index.
The investigation by the three states will focus on eBay's measures for securing personal data, the circumstances that led to the breach, how many users were affected and the company's response to the breach, said Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General George Jepsen.
His office, which is also investigating breaches at Target, Neiman Marcus and Experian, has already contacted eBay, according to Falkowski.
eBay spokeswoman Amanda Miller declined to comment on the investigation by the three states or Schneiderman's request for credit monitoring, but said the company was working with governments around the globe in the wake of the attack.
"We have relationships with and proactively contacted a number of state, federal and international regulators and law enforcement agencies," she said. "We are fully cooperating with them on all aspects of this incident."
A spokesman for the FBI's San Francisco office said multiple agents were working on the case, but declined to comment on the likelihood or timing of arrests.
The investigations came as some eBay customers complained in eBay Community forums and on social media that they received news about the breach from media sources first and not directly from the company. Some customers said they had yet to received notifications by email, which eBay had promised to do.
"This is all over the news – Nothing from EBay," sfbay111 said in one post on an eBay forum.
Several security experts said the best practices in responding to a breach of this type would be for eBay to have a message pop up when victims log in, telling them about it and forcing them to change their passwords.
As of Thursday afternoon, eBay did not have any information on the attack visible on its home page when accessed from the US.
"That's really poor incident response," said David Kennedy, a cyber-forensics expert and chief executive of TrustedSEC. "eBay should be held to a higher standard."
eBay denies - the stolen customer data available for public sale
What is claimed to be a copy of eBay's stolen database is offered for sale via anonymous text file site Pastebin
Ebay says that a database being offered for sale online by a hacker who claims it contains details of the auction site's users which were compromised in a cyberattack that was revealed on Wednesday is not authentic.
Someone claiming to have a copy of eBay's stolen database is offering to sell it for 1.45 bitcoin (about £447) via the anonymous text file site Pastebin.
Barclays Bank probing the breach of client data sold to rogue City traders
Barclays Bank announced to start investigataion of client data sold to rogue City traders. The official statement from Barclays Bank: "We are grateful to the Mail on Sunday for bringing this to our attention and we contacted the Information Commissioner and other regulators on Friday as soon as we were made aware. Our initial investigations suggest this is isolated to customers linked to our Barclays Financial Planning business which we ceased ... Read More
World Economic Forum website closes email address leak
Security research firm finds vulnerabilities in the website of the WEF, which organises the annual conference in Davos.
A security flaw on its website led to the World Economic Forum at Davos leaking attendee's email addresses for at least five days in mid-January.
Embarrassingly for the organisation, even while their insecure website was exposing attendees' information, the World Economic Forum released a report arguing that a failure to deli... Read More