eBay Data Breach -- The 'Inexcusable' Impact on 233 Million Customers

How did eBay fail to notice a data breach affecting 233 million customers for three whole months?

May 22, 2014 at 10:49AM

eBay (NASDAQ:EBAY) has just requested its users change their passwords, following a massive data breach that exposed the records of the site's 233 million customers.

eBay stated that the breach exposed customer names, email addresses, physical addresses, phone numbers, and birthdays -- all of which had not been encrypted. Financial information, which had been encrypted on PayPal, was not affected. However, the leak of so much personal data leaves eBay's customers fully exposed to identity theft. Rik Ferguson, global VP of security research at Trend Micro, called eBay's lack of encryption of personal information "inexcusable," in a statement published by The Guardian.


eBay CEO John Donahoe. Source: Flickr.

The attack on eBay was much larger than the attack on Target (NYSE:TGT) last December, which resulted in the theft of approximately 40 million credit card records and 110 million personal data records. As a result of that debacle, Target CEO Gregg Steinhafel resigned earlier this month.

But what's alarming about eBay's data breach is that it started three months ago, between late February and early March. eBay only detected the breach two weeks ago, and only informed the public on May 21. That's a long time for hackers to have free access to eBay's accounts.

The business of hacking passwords
There are two common ways to secure passwords on websites -- encryption and hashing. Encryption allows eBay or anyone who accesses the decryption key to reveal a user's password. Hashing allows eBay to check if the password is correct or not, but does not give hackers an opportunity to use a key. eBay was using encryption, the weaker of the two options, which meant that hackers merely had to steal the key to get in the front door.

eBay wasn't the first to make that mistake. Adobe (NASDAQ:ADBE), which had at least 38 million passwords stolen last October, was also using encryption instead of hashing -- an embarrassing revelation for a company that was trying to convince customers to migrate from packaged software to cloud-based subscriptions.

A common mistake that companies make is the belief that making customers choose "stronger" passwords -- with upper and lowercase letters and random numbers -- make them harder to crack. Those long passwords only protect your accounts against nosy friends or family members who are randomly guessing the password. To break through regular encryption, obtaining the decryption key would simply reveal the password -- no guessing involved.

Why hasn't eBay invested more in securing its servers?
eBay's reluctance to upgrade its security until a massive data breach is symptomatic of the retail industry's myopic view of the bottom line. Upgrading security across an entire company can cost hundreds of millions of dollars.

Last quarter, eBay posted a net loss of $1.82 per share, or $2.33 billion, due to big foreign tax charges. Adjusted earnings of $0.70 per share topped analyst estimates by three cents. Revenue climbed 14% year-over-year to $4.26 billion, also topping analyst estimates. The company finished last quarter with $7.84 billion in cash and equivalents.

In other words, eBay could easily have afforded a security upgrade, but failed to do so even after watching Target and Adobe go down in flames. It's a simple matter of procrastination and a short-term view of the bottom line -- the larger a business is, the harder it is to upgrade its IT infrastructure. Banks recently faced that same problem -- prior to Microsoft's discontinuation of Windows XP in April, a whopping 95% of ATMs across the country used the outdated operating system, despite the reported risk of various hacks.

Companies were given fair warning
Last May, prior to the high-profile attacks on Adobe and Target, the Ponemon Institute reported that U.S. and German companies were experiencing the highest total costs related to their data breaches. U.S. and Australian companies were also found to expose the largest number of records to hackers during data breaches.

However, the same study found that German and Australian companies, not American ones, were spending the most to counter these threats. Retailers who had been keeping an eye on these figures should have realized that U.S. businesses were falling behind in their duty to protect their customers' data.

Earlier this month, Ponemon announced that the average cost of data breaches per U.S. business had risen 15% year-over-year to $3.5 million. U.S. and German businesses again experienced the most expensive data breaches, while U.S. and Arabian businesses exposed the most customer records. Yet similar to the previous year's findings, German and French businesses, not American ones, spent the most on detection.

Ironically, in both the 2013 and 2014 reports, U.S. businesses spent the most on notifying its customers that their data had been stolen.

Investing in a company's reputation
The most important revelation of Ponemon's study, however, is that a tarnished reputation and the loss of customer loyalty "does the most damage to the bottom line."

After companies like eBay, Adobe, and Target are breached, they must spend heavily to rebuild their public images and acquire new customers. Litigation costs could also pile up -- lawsuits against Target and its credit card security company, Trustwave, are still ongoing.

eBay is clearly downplaying the severity of its data breach by emphasizing that no financial records were stolen. But the damage has been done -- eBay's data breach has now been dubbed "the second largest data breach in U.S. history" by Reuters, and will likely tarnish the brand and result in lawsuits.

Companies like eBay need to learn the lesson of The Three Little Pigs -- building a house out of cheap straw and sticks (then refusing to switch to readily available bricks) simply invites the big bad wolf to blow it all down.

Leaked: Apple's next smart device (warning, it may shock you)
Apple recent recruited a secret-development Dream Team to guarantee their newest smart device was kept hidden from the public for as long as possible. But the secret is out...and some early viewers are even claiming its everyday impact could trump the iPod, iPhone, AND the iPad. In fact, ABI Research predicts 485 million of these type of devices will be sold per year. But one small company makes this gadget possible. And their stock price has nearly unlimited room to run for early in-the-know investors. To be one of them, and see Apple's newest smart gizmo, just click here!


Leo Sun has no position in any stocks mentioned. The Motley Fool recommends Adobe Systems and eBay. The Motley Fool owns shares of eBay. Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.

4 in 5 Americans Are Ignoring Buffett's Warning

Don't be one of them.

Jun 12, 2015 at 5:01PM

Admitting fear is difficult.

So you can imagine how shocked I was to find out Warren Buffett recently told a select number of investors about the cutting-edge technology that's keeping him awake at night.

This past May, The Motley Fool sent 8 of its best stock analysts to Omaha, Nebraska to attend the Berkshire Hathaway annual shareholder meeting. CEO Warren Buffett and Vice Chairman Charlie Munger fielded questions for nearly 6 hours.
The catch was: Attendees weren't allowed to record any of it. No audio. No video. 

Our team of analysts wrote down every single word Buffett and Munger uttered. Over 16,000 words. But only two words stood out to me as I read the detailed transcript of the event: "Real threat."

That's how Buffett responded when asked about this emerging market that is already expected to be worth more than $2 trillion in the U.S. alone. Google has already put some of its best engineers behind the technology powering this trend. 

The amazing thing is, while Buffett may be nervous, the rest of us can invest in this new industry BEFORE the old money realizes what hit them.

KPMG advises we're "on the cusp of revolutionary change" coming much "sooner than you think."

Even one legendary MIT professor had to recant his position that the technology was "beyond the capability of computer science." (He recently confessed to The Wall Street Journal that he's now a believer and amazed "how quickly this technology caught on.")

Yet according to one J.D. Power and Associates survey, only 1 in 5 Americans are even interested in this technology, much less ready to invest in it. Needless to say, you haven't missed your window of opportunity. 

Think about how many amazing technologies you've watched soar to new heights while you kick yourself thinking, "I knew about that technology before everyone was talking about it, but I just sat on my hands." 

Don't let that happen again. This time, it should be your family telling you, "I can't believe you knew about and invested in that technology so early on."

That's why I hope you take just a few minutes to access the exclusive research our team of analysts has put together on this industry and the one stock positioned to capitalize on this major shift.

Click here to learn about this incredible technology before Buffett stops being scared and starts buying!

David Hanson owns shares of Berkshire Hathaway and American Express. The Motley Fool recommends and owns shares of Berkshire Hathaway, Google, and Coca-Cola.We Fools don't all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.

©1995-2014 The Motley Fool. All rights reserved. | Privacy/Legal Information