eBay hack: Top 4 things the company did wrong

It’s bad enough that eBay’s 145 million customers were victimized by what may be the second largest security breach in history. Worse is the company’s response to the mess, which will also go down in history as a case study of what NOT to do when hackers come calling.

For any organization hoping to replicate eBay’s dubious achievement, here’s a step-by-step guide. For everyone else, consider these as warning signs that perhaps you might want to do business with another company:

Fail to figure out precisely when you were victimized
According to eBay, its main user database was compromised sometime between late February and early March. It’s akin to having thieves rob my house, but I’m not entirely sure when they broke in. It’s a telltale sign that not only were eBay’s security protocols so lax that they allowed the incursion in the first place, but the company’s backup systems and processes were similarly useless to the point that the alarm bells never even went off.

Wait a long time before bothering to tell your customers
The company admits learning about the break-in only in early May – which means those tasked with keeping eBay secure were asleep at the switch far longer than anyone has a right to – and even then took its sweet time going public, believing initially that user data was safe. Verizon’s Data Breach Investigations Report says 62 per cent of breaches remain undiscovered for months, with about an additional one-third caught within a month. But eBay isn’t just any company, and its customers deserve better.

Do your best to hide it
Even when eBay was ready to share the bad news with customers, it did so in an unacceptably low-key manner. The announcement was posted not on the flagship ebay.com website, but on ebayinc.com, which I’m guessing doesn’t have quite the same name recognition. A note eventually went up on ebay.com, but it was a simple reminder for users to update their passwords. Sorry eBay: Too little, too late.

Don’t communicate directly
Email-based messaging allows companies to directly and proactively connect with users who may not necessarily visit the website on a regular basis. Unfortunately many users say they received no such message – not even a copy-and-paste from the website – to let them know something was up.

In fairness to companies like eBay, the world has changed. Customers recognize the growing frequency and scale of online attacks, and to a certain extent won’t vilify or abandon companies for simply being victimized. But that tolerance only goes so far. While stakeholders may cut companies like eBay some slack for being attacked in the first place, they won’t accept a slow, incomplete and clumsy response. They’ll punish companies that try to hide the truth, and they’ll increasingly choose to do business with – and invest in – organizations that build a culture that’s ready to respond to the next anticipated threat.

KPMG’s 2014 Global Audit Committee Survey Report suggests eBay is hardly alone in being behind the security curve, and its results confirm companies could do a better job adapting to the increasingly complex threat environment. Only 11 per cent of Canadian companies see cyber security as a growing company threat, compared to 27 per cent in the U.S. Worse: only 31 per cent of Canadian respondents feel company boards are spending enough time dealing with cyber security issues. In the U.S., it’s 57 per cent.

Watching eBay’s painful stumble through the post-breach minefield suggests the company may have crossed a line. Like Target before it, which continues to count the costs of its own botched response to last year’s massive data theft, eBay is learning the hard way just how critical organizational security competency has become to its – and any other company’s – survival.

Carmi Levy is a London, Ont.-based independent technology analyst and journalist. The opinions expressed are his own. carmilevy@yahoo.ca