As eBay Inc. faces criticism for its response to a recent data breach, experts say that other companies should learn from the online auction giant's missteps.
Announced on May 21, the eBay breach was the result of attackers compromising a "small number" of employee login credentials between late February and early March, according to a statement summarizing the incident on the company's website. Those credentials were then used to access up to 145 million customer records, including names, email addresses and encrypted passwords.
Their infrastructure probably could not take a massive password reset … and they're probably erring on the side of protecting their revenue stream.
JD Sherry, VP of technology and solutions, Trend Micro
San Jose, California-based eBay declined to provide further information as it investigates the incident in coordination with law enforcement and incident response firm Mandiant, recently acquired by FireEye Inc. The company has been adamant in affirming that no financial information was exposed as part of the breach, and that payment data from eBay-owned PayPal Inc. is stored separately.
EBay breach response under scrutiny
Despite being a large public company with, by all accounts, a mature information security program, eBay has been widely criticized by the public and information security professionals for its response to the breach.
First, the company's public disclosure came more than two months after the breach occurred. An eBay executive told Reuters that the company mistakenly believed customer data had not been compromised, but declined to say how much time passed between the point when it confirmed customer data had been breached and its public disclosure.
When it did publically announce the breach, eBay advised its customers to reset their website passwords, despite assurances that such passwords were encrypted. However, the mechanisms behind the password reset have come under criticism, with some customers complaining that password-reset messages took hours or days to arrive, while others encountered website errors when attempting to create new passwords.
Some customers complained that eBay failed to adequately inform them as to what exactly caused the breach and how they should respond. News agency Reuters reported complaints from eBay customers that it took days for many customers to receive detailed disclosure emails from eBay, and that the public notice alerting users to the incident was only posted on the front page of the corporate site eBayInc.com, not the highly trafficked eBay.com homepage.
For at least the past two weeks, however, a notice has appeared up on the front page of eBay.com, though it sometimes rotates out for other items like daily deals.
The combination of all these issues has led to a plethora of customer complaints on the eBay Community online forum, and on social media.
"[E]Bay took way too long to respond to this 'problem.' I started getting rejected sent phishing emails back in my personal email inbox that appeared to have been sent from my eBay "My Messages" email add[ress] back in late March, early April time frame," said user jd9912 in a post on the eBay forum. "Now, four weeks later eBay decides to notify everyone of a problem they've known about for almost three months? What's up with that?"
Hey guys, I just got an email from eBay saying that I should reset my password. [Looks at calendar.] I guess this was urgent, right?
— Stilgherrian (@stilgherrian) June 1, 2014
— Alex Konrad (@alexrkonrad) June 1, 2014
— BLAKE (@BlakeTurton93) June 1, 2014
EBay breach response lessons
A variety of experts told SearchSecurity that eBay made mistakes both before and after its data breach that can be used to guide future incident response efforts at other organizations.
Tim Rohrbaugh, chief information security officer of Chantilly, Virginia-based Intersections Inc., said that the details that have been released so far about the way eBay handled employee authentication credentials are concerning. Most mature security programs assign unique and varied user account credentials based on whether an employee is accessing his or her own email accounts or more sensitive production systems.
"Why eBay was not using this basic design is very concerning and telling," said Rohrbaugh.
Trey Ford, global security strategist with Boston-based Rapid7, agreed that eBay's inability to secure its employees' credentials is worrying, particularly as attackers have grown increasingly reliant on the theft of legitimate login credentials to infiltrate enterprise networks. In fact, stolen authentication credentials were the most prevalent attack action recorded in this year's Verizon Data Breach Investigations Report.
Ford said there are a variety of indicators that can be used to spot stolen credentials, including logins from unusual geographic locations, users signing in to systems they normally don't use and other anomalous behavior that falls outside of established usage patterns.
EBay's mistakes before the breach were only multiplied by the mistakes made in its public-facing response. Ford described the lack of transparency and prompt communication surrounding the incident as "a little frustrating" -- especially as he has worked with eBay's security professionals in the past and found the entire security program, from the technology deployed to the staff in place, to be top notch.
For instance, eBay announced a general timeframe when the attack occurred, Ford said, but has so far failed to provide further details on when or how the breach was detected, leaving customers to wonder about the timeline of events and why the disclosure is happening months after the breach. He did concede that some details may need to be held back until eBay's investigation is completed, especially as law enforcement is involved.
Ford said the sloppy eBay breach response has only hurt the company's public perception and served as a warning for other organizations on how best to prepare for a security incident.
"I would have a playbook and have an expectation of the types of data you would like to be able to share" in the event of a breach, said Ford. "And discuss that as quickly as you can with your breach or law enforcement partner when things start.
"Everyone has had a late train or a late flight, but it's not the end of the world. Imagine sitting at the airport and not getting any updates … you're just stuck sitting there and wondering," Ford continued. "I'm of the school of thought that more information is better. I believe achieving a level of transparency inspires confidence."
JD Sherry, vice president of technology and solutions for security vendor Trend Micro Inc. of Irving, Texas, agreed that communicating all relevant breach details to customers in a timely manner is critical for maintaining brand loyalty and integrity.
Unfortunately, Sherry said that eBay failed to learn from other massive data breaches that occurred over the last year. For example, when Adobe Systems Inc. suffered a breach last year that reportedly involved more than 150 million user records, the company swiftly moved to automatically reset all passwords it believed had been compromised.
In comparison, eBay chose to ignore that best practice and instead asked its customers to reset their passwords manually, Sherry said. The fact that that process has not been a smooth one, he added, is a signal that perhaps the company was not prepared for an incident of this magnitude.
"Their infrastructure probably could not take a massive password reset," said Sherry. "They're balancing that production impact versus being ethical and forthcoming, and they're probably erring on the side of protecting their revenue stream."
Though it's unclear exactly what the company's priorities have been during its breach response process, security pros like Sherry acknowledge that other companies can learn a lot from eBay's mistakes.
"I would give eBay a C if I'm grading them on a scale," Sherry said. "You should be doing exercises with your incident response team around what other organizations [like Adobe and Target] did right, and what could they have done better."