Security Breach at eBay

On the 21st of May 2014 eBay announced a security breach on its database that affected more than 148 million customers. The magnitude of the incident as well as the number of customers affected qualifies it to be the second largest data breach of all time. This incident had posed severe risks for general identity and password theft as the database containing users’ passwords had been affected. In regard to the breach, the company responded by urging its customers to change their passwords and to use credit card monitoring services (McCandless, 2016). This essay discusses the situation while analyzing how eBay handled the security breach and the resultant response.

The company is a multinational e-commerce company headquartered in the US and founded in 1998 by Piere Omidyar’s.  It is an online auctioning company which has built person to person as well as business to consumer trading through the internet platform. Essentially, eBay has become a notable success story for the dot com bubble. It is a multibillionaire dollar business within over 30 countries (“Buyer Tutorial”, 2016). The place of the company is perhaps manifested through its looming online presence and the number of sales transacted through the website. In the first quarter of 2016, the company reached 162 million active users translating into more than 250 million daily searches on the site.

The incidence of the security breach was somewhat shocking because the company is one of the largest online shops in the country. According to eBay the security breach incident was reported to have taken place between late February and early March. Incidentally, hackers had managed to retrieve information from a small number of employee details and were then granted access to eBay’s database. Following this access, the hackers were exposed to eBay’s customer details including their names, encrypted password, and physical address, email address, DOB and phone numbers (Blevins, 2016). Eventually, the same people were then able to access the company’s corporate network and threatening the security of the users’ credit card information.

The incidence of the security breach is not a problem per se for the company as it is not an isolated case. Across the world, companies have increasingly been under attack from hackers that compromise the security of users’ login credentials. In fact, eBay is neither the first nor the only company to witness a large scale security breach on its website. Data breaches are becoming more and more common all over the world owing to increasing use of the internet platform. In addition, the advancement in technology renders such attacks more imminent as hackers become more experienced in the same. Nonetheless, data security breaches may not entirely hurt the reputation of the companies. However, the manner in which the company handles the breach can affect the reputation in an entirely different aspect (Drinkwater, 2016). In spite of eBay being one of the largest multinational companies with a mature information security program, eBay has been questioned by the public in regards to its response to the data breach deeply affecting its perception among the public.

The poor management of the crisis at eBay is a key reason to the backlash that the company received from the public. In fact, the total process was handled as a joke resulting in public outcry. One of the first problems with eBay’s security breach was that the disclosure of the breach was announced more than two months after the breach had occurred. An executive from eBay announced to the public that the company had mistakenly believed that the data had not been compromised in the first place. In view of the same, the company had decided not to notify its users because they believed they had not accessed the customers’ data. Accordingly, the company would only let them know when it first realized these attackers had information in regards to customer data (Finkle, 2016). When data had been breached on the 21st of May 2014 customers had advised to reset there passwords manually. Obviously, this should have been the first step so as to safeguard the security of the users’ data including their credit card information.

Even when eBay announced the breach, the company insisted that there was no evidence of released data exposure. In addition, the company maintained that data relating to financial and credit card information was held in separate encrypted databases and was thus not vulnerable to such attacks. However, the company had suspiciously encouraged users of the site to change passwords to help prevent unauthorized access to customer accounts by the hackers. This decision contradicts the statement that the data was protected through encryptions and can be seen as an attempt by the company to prevent the loss of user confidence in the company. Further, eBay had assurance that the users’ passwords were encrypted for an extra layer of security. This assertion, however, came under question when the public criticized the password reset tool as it took several days to provide message feedback.

The response to customers was also poor resulting in the loss of the confidence that the company so desperately aimed to maintain. For instance, the company failed to advise the customers in good time regarding corrective measures. In addition, customers who tried to get in contact with eBay received no announcement regarding the causes of the breach and how customers should respond. Such was the poor handling of the situation that Reuters, a news agency, revealed to eBay customers that it took several days for them to receive disclosure emails from the company. This security breach was announced on eBay Inc site instead of the main site which is highly trafficked (Blevins, 2016). Obviously, the company was not ready to admit that the security breach was of a larger magnitude than it thought. By concealing information on the same, the company was exposing customers to more threats than they already faced.

The result of the poor management was reflected in the diminishing customer activity on the company’s site. In fact, this development is solely attributable to the shyness of the company with respect to information on the incident. In fact, the company recorded a decline in customer activity immediately after the disclosure of the security breach. In addition, the company announced a loss in the number of customers within the eBay website. However, the decline in customers was not the only loss as the company also announced that there would be a loss of around $200 million dollars in revenue. According to Semafone, a UK based fraud prevention company, over 86.55 of people would not do business with a company who have had a security breach. (Bailey, 2016). In this respect, eBay its popularity notwithstanding was bound to lose on the number of customers willing to engage in business on its platform.

eBay had clearly made a number of mistakes before and after the breach, eBay should use this as a guide for future business incidents.

Before the incident of the security breach eBay was known to have problems according to Trey Ford who is a global security strategist as they do not use varied and unique user account credentials based on whether an employee has accesses his or her own email accounts or more sensitive production systems this has also been a serious problem as eBay have not been using this basic design for their security.

More and more attackers are becoming reliant on theft on login credentials to be able to attack organisations such as eBay. Ford also said that there were a certain number of ways to check if these credentials had been stolen which include different geopgraphical location logins and those users who don’t use anomalous behaviour which falls outside of established usage patterns. (Techtarget).

eBays lack of transparency and communication have also been a huge problem for their reputation. For instance their lack of timeframe for announcing the attack to the public has lead to them to question about the timeline of events and why the disclosure is happening after the breach this also lead the public to question eBay why or how the breach was detected.

As customer complaints became apparent eBay clearly had failed to inform them of the situation questioning its customer service. With eBays poor performance in regards to their response To improve this, they should have measures in place about with a quicker response time to the public in regards to its Information security program.

It has become apparent that most even though there are identity thefts, people still trust the security of online retailers such as paypal and eBay. From the breach around 85% had changed their passwords according to eBay. Aite Group who is a financial research and advisory firm who had surveyed consumer behaviour towards fraud had founded that consumers would rather trust online security rather then retail stores (Chabrow, 2016).

JD Sherry who is the vice president of Technology solutions, Trend Micro said that eBay had failed to learn from other data breaches. In 2013 Adobe had also been in a security breach.






Do you need an Original High Quality Academic Custom Essay?