Hackers stole the personal data of hundreds of millions of eBay customers, the online auction site admitted today.
Cyber criminals managed to compromise a small number of employee log-in credentials, gaining unauthorised access to eBay’s corporate network and causing quite a bit of damage.
It’s possibly the biggest commercial cyber attack to date, and while the 220 million victims’ financial details are safe, their personal information doesn’t seem to be.
Cyber criminals managed to steal names, email addresses, home or work addresses as well as phone numbers and dates of birth – basically enough to commit some serious identity fraud.
Weirdly enough, eBay should be kind of happy despite the bad press. Had this happened not in 2014, but in 2015, it’s very likely they would be facing a huge fine – up to €100m, or 5% of annual revenues, for EU-based data (more than 15 million British people could be in that 220m number).
Up till then, the UK’s Information Commissioner’s Office could only levy fines of £500,000 max – fines that have already hit Sony, the Ministry of Justice and others.
That’s all because of new EU data regulations due to be drafted into law ready for 2015, which expand the definition of personal data from the old guidance published in the mid ’90s, as well as making companies more responsible for the personal information of their customers.
CBR speaks to Oracle’s UK technology director for mobility and information security, Andrew Bushby, about how not to become the source of the next big data breach.
Make data a corporate asset
"Data is a corporate asset and should be on the books," says Bushby. "Previously the ICO has suggested that to make organisations take the appropriate measures on this they should put a value on their data and have it on the books of the business.
So when they do start looking at the risk value and how to protect it, they actually put it into the right business context and know how they should look after this data."
Make sure your board knows the risk of customer data
When it comes to customer data, it’s unlikely to be the boardroom directly responsible for accepting the risk of a project. Bushby thinks that’s about to change.
"The people signing [data] risks off on projects right now are nowhere near making those decisions on a purchase to that level. That has to change.
"One of the goals of this legislation is to get people thinking about [changing the hierarchy]. We’ve seen that in government so that there’s not a fall guy further down the stack – there’s someone appropriate to make the right decision."
Security should be from inside to the outside
While eBay had encrypted customers’ passwords, what about their personal information? Bushby contends that while firewalls are important, the most important thing is to make sure your customers’ data is encrypted too – and that no-one has the key.
"Our mantra is security from inside out," he says. "A lot of organisations will put investment into security, but are they always putting it in the right place? We do need to make sure organisations have appropriate firewalls and threat protections in place.
"But you also have to think about security from the inside – how do you protect the data on the inside, because if they do get past those firewalls you don’t want to let them access the soft underbelly of the environment. You also need to make sure that people don’t know the encryption keys."