News
eBay hack demonstrates difficulty of mandatory 24 hour breach disclosure
May 2014 by Lucas Zaichkowsky, Enterprise Defence Architect at AccessData
eBay customers are being advised to change their passwords after the online auction site discovered that one of its databases had been hacked between February and March of this year. eBay reports that the breach was only discovered two weeks ago.
A post on eBay’s corporate site discloses that cyber attackers managed to gain access to eBay’s network by using compromised employee login details. Once inside the network the attackers stole customer credentials including names, email addresses, physical address details, dates of birth and phone numbers along with encrypted passwords. eBay has reassured customers that their payment card details were stored separately and in an encrypted format. Forensic investigation did not reveal any unauthorised access to customers financial details.
Lucas Zaichkowsky, Enterprise Defence Architect at AccessData, comments: “eBay Inc.’s corporate blog reports that, ‘compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.’ “
“eBay reports that it has been working with law enforcement and ‘applying the best forensics tools and practices to protect customers’ and yet it still took three months for the initial cyberattack to come to light and then another fortnight to investigate, remediate and disclose the issue to customers. However, eBay is not alone. Earlier this year AccessData and The Ponemon Institute surveyed 1,083 CISOs about how their organisations handle the immediate aftermath of cyber attack and what could be done to improve response and remediation times. Eighty six per cent of respondents said that detection of cyber attacks takes too long. Thirty eight per cent reported that it could take them a year to find the source of a breach, while forty one per cent admitted that they may never find the root cause.”
“Once a breach has been identified, the lack of integration between different security monitoring products makes it incredibly difficult for security practitioners to wade through the volume of alerts and data; isolate affected nodes and pinpoint the root cause of a compromise. This does throw doubt on whether organisations can comply with mandatory disclosure of serious data breaches within the 24 hour period proposed by the EU General Data Protection Regulation.”
“The eBay attack is not an isolated incident. This type of database hacking activity has been happening for years and will only get worse. There are hacking groups such the Syberian Electronic Army that operate primarily by stealing large databases of passwords, as we saw in the Zappos incident. The intent of the attacker is to either use those stolen passwords to break into other targeted organisations or to make money by selling them on the black market to those that want access. If the stolen passwords are properly protected using appropriate cryptography standards as is the case with eBay, they’ll brute force crack the weaker ones such as passwords based on words or names.”
“Most businesses have employees that use the same password or variations of the same one for multiple accounts, personal and work related. All companies should take note of this breach and proactively reset employee passwords since most of them likely have an eBay account. Otherwise, they’re taking a risk that one of their employees had a weak password and their work account will be accessed by an attacker to log in and steal data or embarrass them publicly. No malware is involved in these attacks.”
“In the long term, users and organizations should turn on two-factor authentication on any accounts that support it and use a password management tool to generate and manage strong, unique passwords for every account.”
References:
eBay blog, 21st May 2014, “eBay Inc. to ask eBay users to change passwords”
http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords
BBC, 21st May 2014, “eBay makes users change their passwords after hack”. http://www.bbc.co.uk/news/technology-27503290
The Ponemon Institute, February 2014 “Threat Intelligence and Incident Response: a study of US and EMEA organizations” February 2014:
http://www.ponemon.org/blog/threat-intelligence-incident-response-a-study-of-u-s-emea-organizations
SC Magazine US, 13th February 2014, “Study finds attack detection takes too long”: http://www.scmagazine.com/study-finds-attack-detection-takes-too-long/article/333988/
Zappos, 20th January 2012, password change advice sent to customers following database breach http://www.zappos.com/passwordchange
