Dealing with the fallout of a company data breach is a PR nightmare no matter how you spin it, but that said, there’s a right and a wrong way to go about it. The right way involves keeping any potentially affected parties abreast of all developments as soon as they happen – not weeks after. If a probable attack is verified on a Monday, customers should be notified that same day. Unfortunately, all too often this is not the case, since instead of operating with professional transparency, breached enterprises often instead decide to avoid telling customers for as long as possible. This practice is unfortunately as common as it is unprofessional, and you can add eBay to the list of companies that did it.
eBay breach results in customers having to change passwords
On May 21, online auctioneer eBay announced on its website that it had fallen victim to a cyber attack that resulted in the exposure of customer password information. The announcement did not specify how many customers’ passwords were affected, but considering that eBay has 128 million users worldwide, the scale of the breach is potentially massive. If all customer passwords were exposed, the breach will surpass Target as far as the number of affected parties. The fact that the malicious encroachment happened in the first place suggests that eBay did not have stringent enough endpoint threat detection and response mechanisms in place.
As a result of the company’s security shortcomings, part of the onus now falls on its customers, who are being asked to change their eBay passwords, as well as any other accounts for which they used the same password as their eBay account.
“Changing passwords is a best practice and will help enhance security for eBay users,” the company said on its blog, adding that it “regrets any inconvenience or concern that this password reset may cause our customers.”
But this company apology may be too little too late, considering eBay was far from forthcoming in the immediate wake of the attack.
Company’s response to attack was problematic
Despite reaching out to customers on May 21, eBay has known about the malicious infringement for two weeks, according to CNET. That they chose to delay telling customers until now suggests a concerning lack of transparency in a situation where the need for forthrightness is paramount. After all, what if customer accounts have been compromised during those two weeks the company kept users in the dark? If that happened, the fault lies squarely with eBay.
In addition to its delay in reaching out to affected parties, eBay was also somewhat indecisive about how it chose to reveal the news. The first public indication of the breach came via a posting on PayPal – the virtual payment platform that eBay owns and which many of its customers use – with the title “eBay, Inc. to Ask All eBay users to Change Passwords.” The post contained no text and was subsequently removed, which certainly won’t help in bolstering customer trust toward the company.