View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Software
May 22, 2014updated 22 Sep 2016 11:28am

Oracle: 3 ways to avoid being the next eBay data breach

Oracle says breaches are inevitable – it’s how you deal with them that matters.

By Joe Curtis

Hackers stole the personal data of hundreds of millions of eBay customers, the online auction site admitted today.

Cyber criminals managed to compromise a small number of employee log-in credentials, gaining unauthorised access to eBay’s corporate network and causing quite a bit of damage.

It’s possibly the biggest commercial cyber attack to date, and while the 220 million victims’ financial details are safe, their personal information doesn’t seem to be.

Cyber criminals managed to steal names, email addresses, home or work addresses as well as phone numbers and dates of birth – basically enough to commit some serious identity fraud.

Weirdly enough, eBay should be kind of happy despite the bad press. Had this happened not in 2014, but in 2015, it’s very likely they would be facing a huge fine – up to €100m, or 5% of annual revenues, for EU-based data (more than 15 million British people could be in that 220m number).

Up till then, the UK’s Information Commissioner’s Office could only levy fines of £500,000 max – fines that have already hit Sony, the Ministry of Justice and others.

That’s all because of new EU data regulations due to be drafted into law ready for 2015, which expand the definition of personal data from the old guidance published in the mid ’90s, as well as making companies more responsible for the personal information of their customers.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

CBR speaks to Oracle’s UK technology director for mobility and information security, Andrew Bushby, about how not to become the source of the next big data breach.

Make data a corporate asset

"Data is a corporate asset and should be on the books," says Bushby. "Previously the ICO has suggested that to make organisations take the appropriate measures on this they should put a value on their data and have it on the books of the business.

So when they do start looking at the risk value and how to protect it, they actually put it into the right business context and know how they should look after this data."

Make sure your board knows the risk of customer data

When it comes to customer data, it’s unlikely to be the boardroom directly responsible for accepting the risk of a project. Bushby thinks that’s about to change.

"The people signing [data] risks off on projects right now are nowhere near making those decisions on a purchase to that level. That has to change.

"One of the goals of this legislation is to get people thinking about [changing the hierarchy]. We’ve seen that in government so that there’s not a fall guy further down the stack – there’s someone appropriate to make the right decision."

Security should be from inside to the outside

While eBay had encrypted customers’ passwords, what about their personal information? Bushby contends that while firewalls are important, the most important thing is to make sure your customers’ data is encrypted too – and that no-one has the key.

"Our mantra is security from inside out," he says. "A lot of organisations will put investment into security, but are they always putting it in the right place? We do need to make sure organisations have appropriate firewalls and threat protections in place.

"But you also have to think about security from the inside – how do you protect the data on the inside, because if they do get past those firewalls you don’t want to let them access the soft underbelly of the environment. You also need to make sure that people don’t know the encryption keys."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.