Data watchdog eyes eBay over database breach
The Information Commissioner is considering action against eBay amid the website telling its 128million users to change passwords due to a cyber attack on its database.
Christopher Graham says his office is "actively" looking at launching an investigation into the US firm, which wants all users to reset passwords in the wake of the attack.
The news follows a new report from the ICO revealing the eight most common IT security vulnerabilities that have led to organisations failing to keep their customers’ data secure.
The attack against eBay, launched between late February and early March, saw hackers access the passwords, phone numbers and addresses of its users, 14m of whom are in the UK.
Users’ dates of birth were also compromised, but an investigation by the California-based firm shows “no evidence” of any unauthorised activity on customer accounts.
Similarly, there is “no evidence” that the hackers were able to breach eBay’s PayPal service, which is stored separately in encrypted formats, adds a statement by the firm.
The total number of users whose data has been compromised was not disclosed, yet eBay admitted that a “small number” of its own employee log-ins were used to launch the attack.
In fact, the firm's engineers detected that the staff log-in credentials, which allow access to its corporate network, had been obtained by the hackers. It made the discovery two weeks ago.
“Extensive forensics” then had to be carried out to identify the database that was hit, eBay said on Wednesday, seeming to explain why it has taken the firm a fortnight to alert users.
The site added: “Beginning today, eBay users will be notified via email, site communications and other marketing channels to change their password.”
The online marketplace says it is also considering new security features which, in the coming weeks, may pop-up when users log in to their accounts, probably to let them set a new password.