eBay attack is ‘wake-up call to all of us’

By Christopher Graham, Information Commissioner.

On Wednesday, eBay wrote to us to tell us they believed a cyberattack had compromised a database of customer information. We’re actively looking at this situation, with a view to launching a formal investigation. On the face of it, this is a very serious breach.

ico-blog-ebay-dOur response is made complicated by the nature of a big multinational internet company like eBay. They’re an American company, so the Federal Trade Commission will look into this. They’ve got a European headquarters in Luxembourg, and so the Luxembourg data protection authority will lead on an investigation in Europe. And there’s millions of UK citizens affected, so clearly we will be involved where we can.

So far our work has been offering assistance to Luxembourg, and providing advice to consumers. We know this is an issue that people here in the UK are concerned about, but we have to be careful: by taking the wrong action at the wrong time, we risk undermining any investigation.

What we can be sure about is that if there has been a breach of the UK Data Protection Act, we’ll act firmly. To give you a similar example, there was a significant data breach from Sony Computer Entertainment Europe and it fell to the ICO in the UK to investigate that as the lead authority. We concluded after a very thorough investigation that Sony had been negligent and that customer data had been compromised. The reputational damage to Sony was surely far greater than the £250,000 fine

This needs to be a wake-up call to all of us. It shows consumers the importance of having different, strong passwords for different online services. It’s a wake-up call to government that the 20-year-old data protection laws are showing their age. But most of all it’s a wake up to businesses. Cyber crime is real. Hacking is real. Responsible companies have got to act to keep their customer information safe, and if they don’t, they’ll find they’re not just in trouble with the Information Commissioner, but they’re in trouble with customers too.

Last updated 23/05/2014 16:20

Christopher GrahamChristopher Graham, Information Commissioner, has a range of responsibilities under the Freedom of Information Act 2000, the Data Protection Act 1998 and related laws.
This entry was posted in Christopher Graham and tagged , , , , , , , . Bookmark the permalink.

14 Responses to eBay attack is ‘wake-up call to all of us’

  1. Homeboy Chris says:

    Id like to know how the hackers obtained DOB information if paypal wasnt hacked. Dont recall ever giving that info to ebay, only paypal.

  2. Homeboy Chris says:

    Another thing here is I dont believe they attempted in good faith to notify their users of this within a reasonable timeframe. We didnt recieve a call, email, or a letter from them regarding this. What we did get was an announcement on their corporate site ebayinc.com (which no one ever looks at) and a facebook announcement on their site that only has 7 million likes, so it only went out to 7 of the 142 million affected. And of that 7 million, only the people who go on facebook every day and look at every post on their newfeed actually became aware of it. Not good faith compliance with the spirit of the law imo.

  3. Homeboy Chris says:

    Users are still recieving their daily spam emails from ebay, so they have no excuse to why their system isnt able to send out an email to all the users. That is complete nonsense.

  4. Ian R says:

    It is a wake-up call all right, but in a different way.
    I suspect this ‘password complexity’ business (or as Dilbert succinctly put is it, the requirement for squirrel noises in passwords) is in reality an excuse to cover the failings of the software itself. Properly written software should not in any case allow bruteforce ‘dictionary’ attacks.

    Its main effect is to deter users from changing their password. If they do change it, they have to write it down, because, ‘%R?1$kSR!$%^5$!^$’ is impossible to memorise. Thus, it is LESS secure than a sensibly chosen passphrase.

    The real security issues are:
    In terms of data handling, unwanted dissemination of data -where a company who needs your data supplies it to a third party who has no right to it, and who then misuses or leaks it. Reevoo are a case in point here. The DPA is an important tool in tackling this.

    In terms of vulnerabilities in software itself, such as the Heartbleed exploit, the two elephants in the room are the insistence on using the archaic C programming language with its inherent lack of variable bounds checking, and the use of the equally archaic SQL database backend to store website data, with its extreme vulnerability to code injection exploits.

    Both of these tools date from the mainframe era, when ‘security’ meant a guard standing at the door of the computer room, and only trusted persons allowed access to keyboards. The have zero inherent security, and are totally unsuited to the Internet era of connected computers.

    So, the wake-up call needed here is to deprecate C and SQL. Not easy, as these ancient and decrepit tools have become deeply entrenched in the IT industry’s infrastructure. But, if the Internet is ever to be a safe place for commerce, sooner or later it has to be done.

  5. BlackPhi says:

    “if there has been a breach of the UK Data Protection Act” – seriously? Is the UK Data Protection Act really that weak? They’ve been storing personal details about their UK customers, apparently unencrypted, on databases which can be accessed using random employees’ logins. Yet you are only vaguely “looking at” a formal investigation? Surely eBay needs to be investigated and fined by the authorities in *every* region whose citizens have had their details revealed in this way, and given proper fines in each – £250,000 is hardly a speck for a company the size of Sony, or eBay.

    • Charles Verrier says:

      Presumably, things are complicated by the fact that eBay is an American corporation, and the data is stored outside the UK (they do have a datacentre in Berlin, I understand, but all the others are well outside the EU) and under the terms of EBay’s T&Cs (i.e. a contract with an Ebay subsidiary in Luxemburg).

      • BlackPhi says:

        One of the Data Protection Principles set out in the Act is “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

        Whether the data is stored in Berlin or Bangkok it is data about UK citizens, collected from operations in the UK, and companies need to be penalised to the full extent of the law when they do not protect it adequately. Incidentally UK data protection law (and its EU equivalents) cannot be overridden by T&Cs.

  6. Anthony says:

    My encrypted password is less of a big deal, than the fact my unencrypted details (name, address, DOB) and more have been taken (as far as I can tell, from what pathetic information has been released). How any of this was available to regular ebay staff with no security details from my side is staggering and horrifying. Banks and mobile phone companies have sensible systems in place – why does ebay not, when it has as big (or even bigger) market capitalisation that some of the companies I just mentioned.

    Hopefully this severe breach is investigated, and a more appropriate fine issued. Please take heed of the miss-selling fines in energy firms (in the 10s of millions), or the fines in pharmaceuticals (in the billions).

  7. Well said Homeboy Chris. Totally Agree

  8. Mike Henson says:

    eBay state that the information stolen was encrypted so unless the encryption key was also stolen what’s the problem?

    • Charles Verrier says:

      Because, once the data has been copied, the hackers have the luxury of time to try brute force decryption.

  9. Rural voter says:

    As with cold calling and spam e-mails, it seems to me from my limited knowledge that the UK regulations on storage of personal data actually make it difficult for the Information Commissioner to impose an enormous fine – even if a company has been almost criminally negligent as could be true with Ebay

    By the way, does someone has evidence the basic personal data i.e. name/address/tel no /DOB was protected? Reports on the BBC and Telegraph websites suggested only the passwords were protected and most of those are hackable within seconds/minutes.

    The regulations dealing with spam which I’ve been checking actually stop the ICO from taking collective action for damages on behalf of all consumers. They require individual consumers to sue companies if they believe their data privacy rights have been infringed. Hence a derisory trickle of county court cases with damages in the £100s and rarely over £1,000. Hardly an incentive to behave better except perhaps for tiny companies.

    Maybe as usual the Federal Trade Commission will prove to be a watchdog with bigger teeth.

  10. ebay previously faces big cyber attack, i read this news on a website and the hackers attack affected millions of accounts. it was a loss

Leave a Reply