Shortly after the eBay press release hit the wire, the media started calling to ask for my feedback on the whys and the hows of this latest debacle.
“Why did this happen?”
“Why does it keep happening?”
“Why do breaches seem to be getting bigger all the time?”
The answer is simple: because information is increasingly valuable.
With all due respect to Simon Sinek, we should not start with why in this case. We can also pretty much ignore the who and the how much to zero in on the what.
So whether the answer is ‘duh, because it has value on the black market‘ or simply 42, it’s equally irrelevant, as Douglas Adams correctly pointed out some 35 years ago.
Indeed, the question is the hard part. What questions should we be asking in light of this latest debacle?
I took a shot at this in a lengthy diatribe published here and mirrored here, but I wanted to stick to the essence of the problem by first saying that public relations is not easy. Crisis communications is hard. And breach notification is not a science at all (let alone an art).
With that firmly in mind, eBay’s response was still entirely inadequate. The press release, not addressed at the public but at the media, simply indicated that a few employee accounts were used to gain access to a database of user information. That information included personal addresses, emails, phone numbers, dates of birth, names and um … don’t worry: no financial information. No passwords either, since they were encrypted.
And by the way, you should change your passwords. You should change them anyway, because it’s the right thing to do. And you should change them on all your sites. But don’t worry, because eBay hasn’t seen any additional fraud in the 100 days criminals have had your data.
Wait what? That does count as the first question you should be asking. The first of 10, let’s say:
- What social engineering method led to your employees sharing passwords with criminals?
- What policies were in place to prevent this, but failed to work?
- What are the chances password encryption will protect those passwords?
- What exact elements of personal information were stolen?
- What new identity information will eBay/Paypal support require going forward?
- What percentage of eBay passwords are shared with PayPal?
- What is keeping eBay from resetting everyone’s password now?
- What should customers do when they get phished, impersonated and defrauded? Because they will.
- What is the point of confusing the public with assertions of ‘no increased fraudulent activity on eBay,’ placating them with ‘cyberattack compromised non-financial info in a database‘ and patronizing them by sending them to read a media release not addressed to them?
There are plenty of positive, responsible, respectful ways to announce that you dropped the ball on security. This announcement is not one of them, unless it’s just for the purpose of summarily complying with legislation.