The Aftermath of the eBay Cyber-Attack and the Lessons to be Learnt…

In May it was announced on news sites such as the BBC and SkyNews that the popular e-commerce site eBay was breach late February and early March. The breached database contained phone numbers, addresses, date of birth, other personal data and encrypted passwords. The company never disclosed how many of the 148 million active accounts were affected but, has asked all active users to change their passwords. The hackers infiltrated the network by obtaining, a small number of employees’ login credentials. Luckily the hacker did not access eBay subsidiary, Paypal’s financial database because it was stored on a separate network.

The Aftermath

Since the news many customers have complained and criticised the way the situation was handled, Attorney Generals in at least 3 states in the US has begun investigating the cyber-attack incident. Users was also outraged that eBay waited 2 weeks before publishing the breach after they found out, their explanation was:-

“For a very long period of time we did not believe that there was any eBay customer data compromised,” commented the Global Marketplaces Chief Devin Wenig shortly after the news was announced.

After promising they will make password resets mandatory on the website, it was days before this was carried out and for users that wanted to change their passwords after the initial announcement, they were unable to because the site struggled with the abnormal number of reset requests. Both of these factors added to the negative feelings amongst eBay users.

In a bid to assure customers they released a statement saying they have seen no indication of increased fraudulent account activities on the site but, it would seem eBay has missed the point as the main concern is… what the cybercriminals can potentially do with the non-encrypted information they stole like the numbers, addresses, date of birth, etc. – so the question is, why wasn’t this personal data encrypted like the passwords?

Considering eBay is responsible for a vast amount of personal data, you would assume they have a better incident response and management, breach detection, network admin login protection, and communication practices.

The most important lessons to take from this data incident is that good IT security practices for networks is essential for all businesses, regular network security assessments are required, educate staff on security and have good crisis management.

Breaches can happen to any company and poor incident response and management can just be like rubbing more salt to the wound, with the potential to create more long-term brand reputation damage.

For more information on IT network security practices and services please feel free to contact us on 0845 603 5552

Advertisements

Your Emails could be a Door for Malicious Software…

Email Spam and Phishing is certainly not a new concept but, they are becoming more sophisticated. They are increasingly adopting an appearance of something that the recipient is familiar with – appearing like it is from a delivery company, social media contacts, banks, stores etc. The more familiar the content seems to the recipient, the more likely they would open it or click on the links within the email, which could lead to their system being infected.

The purpose of malicious spam is to make money, obtain sensitive information or spread malicious codes. Emails can contain links that would direct the reader to phishing or malware filled websites or they can contain mischievous file attachments – like CryptoLocker which surfaced in 2013.

CryptoLocker is often concealed within a fake delivery note attachment and once opened it would release Trojan RansomWare onto the system, encrypt the victim’s data and sell it back to them! Within a week over 10,000 people fell victim to it and months after its initial debut there are now reports from ThreatPost that it can infect Android devices now (don’t worry you have to download the APK file first!).

Email security is a cause for concern, in the Kaspersky Security Bulletin it suggests Corporations are increasingly falling victim to Cybercrime, 91% of those surveyed fell victim to a cyber-attack at least once in the last 12 months and the top causes included Viruses, Malware, Spam and Phishing. What’s more in 2013 alone Kaspersky Lab products detected a total of almost 3 billion malware attacks on end users computers!

However with the ‘Internet of Things’, where everything is connected, the sophistication of spam, malware and phishing attacks is not just limited to emails and the internet; in January it was found 750,000 spam emails were sent from compromised smart fridges.

Another example would be the US retailer ‘Target’ point-of-sale (POS) system was infected with malware; this caused as many as ‘40 million credit and debit card details and 70 million customers’ personal details stolen in cyber-attack. This POS malware attack caused both financial and brand reputation losses, with consumers avoiding the stores as they are worried causing sales to decline, a prediction of a 2% – 6% decrease for the quarter. Also, whether it is directly related to the data breach or not, Target stated in a press release there will be store closures in May.

Corporate victims of spam, malware, viruses, phishing most often than not, the motive is simple – to obtain business data. Emails are a quick and convenient communication tool and it is often misused as carriers of malicious spam – by having email security solution in place it can lower the risk of these attacks. But there are a lot of choices when it comes to email security in the market so choose carefully. It may seem trivial talking about email security but, emails can potentially be the door to your systems and data for cybercriminals. Be protected!