eBay has asked 150 million users worldwide to reset their passwords, after learning of a cyber-attack on a database including encrypted passwords and other user data. Initially, eBay provided few details about the actual attack, which is under investigation by the FBI and a cyber-forensics firm. They did, however, indicate that the email addresses, physical addresses, phone numbers, birthdates and encrypted passwords of users were exposed when attackers gained access to the company’s corporate network using stolen employee login credentials. According to eBay’s forensics team, no financial information was accessed during the cyber-attack, as it is stored separately. The unauthorized network access occurred in February and March and was just discovered two weeks ago.
According to an article published by Reuters.com, eBay users had been expressing concern that initially, they heard more from the media on the data breach than from eBay itself. The company’s initial announcement stated that they started emailing customers on Wednesday about the breach. Perhaps these customers hadn’t received the notice yet. As of Thursday afternoon, the day after the announcement, information about the breach and password change request was not readily available on the eBay website’s home page eBay as well.
These items may indicate a poor incidence response plan at eBay, although it’s hard to say at this point because there is a lot we do not know and the breach is still under investigation by the company and federal investigators.
This breach constitutes may be the second largest breaches in terms of the numbers of records affected. The largest breach to date occurred in October of 2013 when hackers infiltrated the security systems of Oracle. [Side Note: This site provides an interactive chart of the “World’s Biggest Data Breaches,” tracking both number of records stolen and sensitivity of the data. It also allows you to by organization type and breach method.]
What are the key takeaways for health care organizations?
- Large organizations aren’t always secure. Healthcare organizations should be aware of the risks when outsourcing to large vendors, especially cloud-based SaaS providers, who flaunt superb IT security practices. Nowadays, any network is susceptible to a breach.
- When a breach is discovered there can be chaos and unpreparedness, both in terms of the technical response and in terms of the public relations plan. Healthcare organizations are advised to complete advance preparations, planning, training and drills to fully prepare for the possibility of a breach, including establishing breach notifications plans.
Visit this page for all official company communications regarding this “network compromise.”
