It can’t be easy to be a company — particularly a large, trusted company — dealing with a breach. For a business in that position, the conversation must quickly shift from the incident itself to conceiving a plan of action regarding reaching out to customers.
An unfortunate tenancy among breached enterprises in recent years has been to avoid keeping customers in the loop seemingly for as long as possible. Whether this is to allow more time for an internal response or simply just a tactic to save company face, it’s a practice that needs to stop. Simply put, enterprise security is everyone’s business.
The Popular Online Auction House Falls Victim to Attack
EBay customers received a notice from the company informing them that they need to change their password following a malicious encroachment on a company server, according to eBay.
The company stated that the attack happened between late February and early March, and occurred because cybercriminals were able to steal login credentials for several employees. What this suggests is that eBay needs a stronger authentication system for employees to prevent a future incident from happening.
A probe conducted by eBay into the extent of the attack revealed that although passwords and email addresses were compromised, no customer financial information appears to have been exposed.
This is lucky considering that eBay owns PayPal, an online payment system that provides a direct link to customer bank account information. According to eBay, PayPal data was not breached, since its information is contained in a different enterprise network than the one that was compromised.
EBay Latest Company to Appear Evasive in Wake of Attack
According to CNET, eBay was by no means direct with its users after discovering the attack.
First, on the morning of May 21, PayPal released a notice saying “eBay, Inc. to Ask All eBay users to Change Passwords.” The notice was then taken down as quickly as it had gone up — but not quick enough to prevent it from making the social media rounds.
Then it was revealed that although the server infringement had happened back in late February and early March, it wasn’t discovered by eBay until two weeks ago, which will likely only exacerbate the sense of customer mistrust that will arise as a result of the attack.
If you’re a breached company and in doubt about your plan of action, the best avenue is total transparency.