eBay suffers major data breach

eBay has asked users to change their passwords because of a cyber-attack that compromised a database containing passwords and other personal data such as names, email addresses, physical addresses, phone numbers and dates of birth. Cyber-attackers compromised a small number of employee log-in credentials, allowing unauthorised access to eBay's corporate network, the company said. Financial data has not been leaked according to the company. It is not yet know how many people have been affected, but the company has 145 million active users around the world.

Margaret Tofalides, Commercial IP/IT and Data Protection Partner at Clyde & Co said: “Retailers should focus upon avoiding the storage of cardholder information wherever possible, deploying encryption to protect information where it is stored, and ensuring a data loss prevention solution is in place to prevent credit card information from being leaked out of the organisation.”

“Ultimately retailers should take these steps to avoid incurring fines for non-compliance with the Payment Card Industry Data Security Standard regulations. There is a contractual obligation on retailers to notify the PCI in the event of a security breach and so retailers should prepare a strategy for how they would approach a PCI notification, in the event that the worst happens. Cyber insurance is also necessary to protect the company and its investors from a significant data breach; many retailers lack an effective breach contingency plan and cyber insurance is not only risk transfer but an important service to manage the breach."

In the US, Attornies-General of Connecticut, Florida and Illinois are investigating eBay’s security practices. It is unclear what legal authority states have over eBay's handling of the matter.

Speaking on the BBC Today programme on 23 May, UK Information Commissioner, Christopher Graham, urged eBay customers to set new, strong passwords on eBay website, and warned that organisations need to be more vigilant – the ultimate price to pay is the reputational damage to a brand, he said.

eBay shares have fallen more than 1% this week.

Margaret Tofalides will be discussing how to adopt protective measures to fight Cybercrime in the August issue of PL&B UK Report. She will also cover this subject in a presentation at Privacy Laws & Business 27th Annual International Conference, New Horizons – New Risks, Queens’ College, Cambridge 30 June- 2 July.