View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 23, 2014updated 22 Sep 2016 11:29am

8 lessons from the eBay cyber attack

Practical tips on avoiding being the next victim

By Jimmy Nicholls

The recent cyber attack on eBay saw up to 145 million people’s details taken in what some have called the biggest digital intrusion of all time. In this piece CBR rounds up the best reactions from the attack, as well as eight lessons businesses and consumers can take from what happened.

1. Users should not use the same password across multiple websites

With so many accounts across so many sites, it’s tempting to use the same credentials wherever you go. The trouble is that if one site is breached, a hacker can gain access to any of your profiles. Paul Martini, CEO, iboss Network Security, says: "There may well be further breaches stemming from this attack and it will be difficult to tie losses from other portals back to this specific breach." If you have an eBay account, it is worth changing passwords across your profiles elsewhere.

2. Perimeter defences need to be complemented with internal encryption

As we have highlighted before, IT security is moving its focus away from perimeter defences and will be investing more heavily in internal defences. "We do need to make sure organisations have appropriate firewalls and threat protections in place," says Andrew Bushby, technology director for mobility and information security, Oracle UK. "But you also have to think about security from the inside – how do you protect the data on the inside, because if they do get past those firewalls you don’t want to let them access the soft underbelly of the environment."

3. Only let people access data when it is strictly necessary

Even before the eBay attack, companies were being advised to segregate data and restrict access to sensitive information, but this must be done more thoroughly. "It highlights why security best practitioners call for a layered approach to procedural and technological defences." Mark Kedgley, CTO, New Net Technologies, says, commenting on the eBay breach. "Only provide access to data on a strict needs must basis, and only ever provide users with ‘lowest privilege necessary’ access."

4. Breaches can lead to criminals selling fake caches of data online

After the breach at eBay somebody found millions of records allegedly up for sale on pastebin, a web app for storing text, prompting speculation that the data on offer was from the auction website, which was shortly followed by denials from the firm. Trey Ford, global security strategist, Rapid7, says: "It’s not uncommon for criminals to spot an opportunity to cash in on an attack by offering false credentials for sale. This happened with the LivingSocial breach too." The coupon site LivingSocial was attacked earlier last month, with 50 million accounts compromised.

5. Basic data kept on websites can be used to steal identities

Though financial information was not stolen in the breach, there is still the danger of identity fraud. Hugh Boyes, the Institute of Engineering and Technology, says: "As an occasional eBay user, I am concerned that not only have they lost my email, username and password, but according to their website the loss includes home address, phone number and date of birth. The only item they are missing is mother’s maiden name and they have sufficient information to impersonate an individual when dealing with many financial organisations."

6. End users remain the weak spot in defending against data breaches

While companies can build robust defence systems, they still need to be mindful of their employees and their customers providing an opening for hackers. Gaurav Banga, co-founder and CEO at Bromium, says: "The fact that an eBay database containing highly sensitive user information was compromised through employee log-in credentials demonstrates that end users continue to be the weakest link in the chain and the most valuable to be attacked."

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

7. Attacks are being picked up weeks after the event

A report by the security arm of Verizon revealed that companies are still less likely to discover breaches than law enforcement or third parties, creating an inevitable lag in detection. David Robinson, chief security officer at Fujitsu UK & Ireland, said: "The fact that this breach was able to go unnoticed for a number of weeks is testament to the fact that companies need to be doing more as the cyber-criminal industry continues to evolve."

8. It may be time to ditch the password

Some banks have already moved to authentication involving card-readers, but other industries could well be advised to join them. Richard Parris, CEO and founder of Intercede, said: "All businesses, including eBay need to wake up to these risks and adopt stronger authentication for both employees and users of their services or sites. The answer lies in two-factor authentication – something you have and something you know. It’s now time for businesses and society to wake up to the fact that passwords are dead and we need a more secure alternative."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.