eBay (EBAY 1.70%) has just requested its users change their passwords, following a massive data breach that exposed the records of the site's 233 million customers.
eBay stated that the breach exposed customer names, email addresses, physical addresses, phone numbers, and birthdays -- all of which had not been encrypted. Financial information, which had been encrypted on PayPal, was not affected. However, the leak of so much personal data leaves eBay's customers fully exposed to identity theft. Rik Ferguson, global VP of security research at Trend Micro, called eBay's lack of encryption of personal information "inexcusable," in a statement published by The Guardian.
The attack on eBay was much larger than the attack on Target (TGT -1.29%) last December, which resulted in the theft of approximately 40 million credit card records and 110 million personal data records. As a result of that debacle, Target CEO Gregg Steinhafel resigned earlier this month.
But what's alarming about eBay's data breach is that it started three months ago, between late February and early March. eBay only detected the breach two weeks ago, and only informed the public on May 21. That's a long time for hackers to have free access to eBay's accounts.
The business of hacking passwords
There are two common ways to secure passwords on websites -- encryption and hashing. Encryption allows eBay or anyone who accesses the decryption key to reveal a user's password. Hashing allows eBay to check if the password is correct or not, but does not give hackers an opportunity to use a key. eBay was using encryption, the weaker of the two options, which meant that hackers merely had to steal the key to get in the front door.
eBay wasn't the first to make that mistake. Adobe (ADBE 5.95%), which had at least 38 million passwords stolen last October, was also using encryption instead of hashing -- an embarrassing revelation for a company that was trying to convince customers to migrate from packaged software to cloud-based subscriptions.
A common mistake that companies make is the belief that making customers choose "stronger" passwords -- with upper and lowercase letters and random numbers -- make them harder to crack. Those long passwords only protect your accounts against nosy friends or family members who are randomly guessing the password. To break through regular encryption, obtaining the decryption key would simply reveal the password -- no guessing involved.
Why hasn't eBay invested more in securing its servers?
eBay's reluctance to upgrade its security until a massive data breach is symptomatic of the retail industry's myopic view of the bottom line. Upgrading security across an entire company can cost hundreds of millions of dollars.
Last quarter, eBay posted a net loss of $1.82 per share, or $2.33 billion, due to big foreign tax charges. Adjusted earnings of $0.70 per share topped analyst estimates by three cents. Revenue climbed 14% year-over-year to $4.26 billion, also topping analyst estimates. The company finished last quarter with $7.84 billion in cash and equivalents.
In other words, eBay could easily have afforded a security upgrade, but failed to do so even after watching Target and Adobe go down in flames. It's a simple matter of procrastination and a short-term view of the bottom line -- the larger a business is, the harder it is to upgrade its IT infrastructure. Banks recently faced that same problem -- prior to Microsoft's discontinuation of Windows XP in April, a whopping 95% of ATMs across the country used the outdated operating system, despite the reported risk of various hacks.
Companies were given fair warning
Last May, prior to the high-profile attacks on Adobe and Target, the Ponemon Institute reported that U.S. and German companies were experiencing the highest total costs related to their data breaches. U.S. and Australian companies were also found to expose the largest number of records to hackers during data breaches.
However, the same study found that German and Australian companies, not American ones, were spending the most to counter these threats. Retailers who had been keeping an eye on these figures should have realized that U.S. businesses were falling behind in their duty to protect their customers' data.
Earlier this month, Ponemon announced that the average cost of data breaches per U.S. business had risen 15% year-over-year to $3.5 million. U.S. and German businesses again experienced the most expensive data breaches, while U.S. and Arabian businesses exposed the most customer records. Yet similar to the previous year's findings, German and French businesses, not American ones, spent the most on detection.
Ironically, in both the 2013 and 2014 reports, U.S. businesses spent the most on notifying its customers that their data had been stolen.
Investing in a company's reputation
The most important revelation of Ponemon's study, however, is that a tarnished reputation and the loss of customer loyalty "does the most damage to the bottom line."
After companies like eBay, Adobe, and Target are breached, they must spend heavily to rebuild their public images and acquire new customers. Litigation costs could also pile up -- lawsuits against Target and its credit card security company, Trustwave, are still ongoing.
eBay is clearly downplaying the severity of its data breach by emphasizing that no financial records were stolen. But the damage has been done -- eBay's data breach has now been dubbed "the second largest data breach in U.S. history" by Reuters, and will likely tarnish the brand and result in lawsuits.
Companies like eBay need to learn the lesson of The Three Little Pigs -- building a house out of cheap straw and sticks (then refusing to switch to readily available bricks) simply invites the big bad wolf to blow it all down.