On Wednesday, May 21, cyberspace became a little over-crowded with unwelcome users. Cybercriminals logged into e-commerce giant eBay's (NASDAQ:EBAY) internal corporate account, gaining access to eBay's 145 million registered users' personal information. eBay is still continuing to work with law enforcement in a thorough investigation into the breach.
Is eBay's breach similar to Targets?
In December of 2013, Target (NYSE:TGT) faced a similar attack. And unfortunately for its shareholders, Target continues to feel the effects. Although eBay declares that financial information was not compromised as was the case with Target, eBay still experienced similarities to Targets data breach that should not be overlooked.
Shortly after the attack, Target learned that the hackers accessed more than originally assumed, including mailing and email addresses, phone numbers, names from roughly 70 million Target shoppers, and payment data from over 40 million payment-card members.
Target is still facing the ramifications from this incident, which included total costs topping $200 million according to a report from Consumer Bankers Association.
Similarly, eBay reported that the cyber-criminals in the breach retrieved customer passwords, email addresses, physical addresses, phone numbers, and dates of birth. However, while Target exposed pieces of information for 110 million customers, eBay left 145 million registered users, and potentially thousands of unregistered users, unprotected.
Should investors and consumers run from eBay?
While the exposed database did not include any financial data, it is extremely likely that many registered users use similar, if not the exact same, log-in information with PayPal. That detail alone puts eBay and its users at risk.
eBay, making its best efforts to avoid potential damage, urged consumers to immediately change their account passwords. According to the Wall Street Journal, the stolen passwords were encrypted, meaning that the passwords were presented in a jumbled manner, making the information incorrect and unusable unless unscrambled correctly by the hackers.
While it sounds like the encryption may have pulled eBay out of hot water, Target's experience proposes otherwise.
For example, following the breach, Target revealed to customers that their personal information was protected by the aforementioned encryption, and that the company had stored the keys to unlock the encryption. While this was a great idea for protection, Target used too basic of an algorithm, or process that follows calculations or other problem-solving techniques, to protect the information. The company used the standard algorithm known as 3DES.
Basically, Target's 3DES system is known for being weak in "brute-force attacks," which are when cyber-criminals use computers that enable them to use high speed guessing, resulting in more rapid success in deciphering the jumbled encryption.
Adobe Systems (NASDAQ: ADBE) also faced a data breach just a year ago which exposed encrypted information as well. Unfortunately for Adobe customers, the hackers bypassed the encryption and uncovered millions of customer passwords on Adobe within weeks.
Adobe also used the 3DES algorithm.
Despite the circumstances, just one day after the breach was released to consumers, Adobe stock price actually rose. How could that be?
The answer: Adobe capitalized on incident management, which benefited Adobe as a result. Adobe alerted their consumers about the breach as quickly as possible, and also offered a years' worth of free credit monitoring through Experian, a large credit bureau, to those who were effected.
Roughly a year later, Adobe is thriving. Although sales are down 8% and net income has dropped 65% as a result of transitioning to a new business plan, it is what's underneath that proves fruitful for Adobe.
On June 17, Adobe reported that shares were up 8% in after-hours trading, reaching an all-time high market capitalization of $33.6 billion. It is likely that the recent decline in sales and net income come as a result of the transition, from selling desktop software for nearly $3,000, to offering subscriptions for its new software, "Creative Cloud" for just $50 per month. Although the recent transition has brought sudden declines, it is expected to produce long-term benefits for Adobe.
eBay's Next Steps
Unless eBay protected its encryption with a more challenging algorithm, it is likely that eBay could suffer punishment similar to Adobe and Target. All eBay users, registered or not, should be weary of what new information may be presented as the investigation progresses.
Anup Ghosh, founder of the software company Invincea said, "Like a natural catastrophe, usually a low number of breached records is reported and, as the story unfolds, the number of compromises grows and grows." Ghosh also stated that hackers may use the stolen email addresses to probe users for more information, such as a personal question or a Social Security Numbers in attempts at identity theft.
As of Tuesday, eBay shares have dropped 2.4% to $48.38.
Foolish Final Thoughts
eBay displayed what not to do in the event of a data breach. The company took days to post a notice about the breach on eBay.com, confused users as to whether their PayPal accounts had been affected as well, and many eBay users had never received an email notification warning them about the breach nor informing them to change their password.
Dave Kennedy, the CEO of security consultancy and breach response firm TrustedSec, said, "It just seems like their response has been complete disarray and disorganization. This is one of the worst responses I have seen in the past ten years from a company that's experienced a breach."
Investors should approach cautiously, as customers become more aware of the breach, their usage may become less frequent. eBay customers should also remain alert, and prepare themselves for grim news that may come next quarter.