eBay Data Breach: How is it Different this Time?

By Fernando M. Pinguelo and Daniel Sodroski

Last week, eBay, Inc. disclosed that its database containing sensitive customer information was stolen as early as February of this year.  While customer password databases have been the target for cybercriminals in the past, eBay’s Data Breach is unique because it is more than just an attack on one massive, multinational corporation – it’s an attack on the many businesses who operate through eBay in a traditional retail eCommerce setting.  So the data breach has the potential to disrupt the operations of the hundreds of retailers, big and small, who use eBay to buy and sell goods to their own customers.

Ebay was founded on September 3, 1995. Throughout it’s history the company has described itself in many ways. Here are some ways in which eBay describes itself:

• “The Commerce Revolution”
• “consumer behavior is shifting, and a “new retail” environment is emerging”
• “It’s less about location and more about consumer engagement – anytime, anywhere.”
• “Just a few years ago, most retailers were fearful. They weren’t sure how to respond to the changing retail landscape. But, to paraphrase Twain, the rumors of retail’s demise were greatly exaggerated. The store will not disappear. It will evolve. Online commerce will not devour offline retail, but will transform how we shop and pay.”

eBay’s handling of the hacked information has been criticized by many and caused concerned customers to demand an explanation from the company.  While no cyber security plan is infallible, eBay’s current predicament is a good example of why every company, big or small, should have a crisis management plan in place.

An effective, written crisis management plan will have several components to it, including:

• An understanding of one’s computer systems, security, and vulnerabilities
• Recognition of common threats, both external threats and internal, company insiders
• Identification of critical intellectual property, know-how, and infrastructure that the company deems confidential, as well as protected personal information
• A crisis management team, ideally one that includes oversight personnel, internal support, public relations, in-house counsel, human resources, and IT
• Methods to communicate effectively and strategically

Let eBay’s incident be a lesson to all companies with an Internet presence.  Companies need to acknowledge that the information they harvest is extremely valuable and is the target for competitors and non-competitors alike.  Of course, preventing these types of attacks and thefts is the number one priority.  However, when the inevitable breach does occur, the victim corporation cannot sit back—it must execute its thoroughly-planned crisis management strategy immediately and do its best to remedy the situation with the foremost concern being customer privacy and customer appeasement.

For more information, please contact Fernando M. Pinguelo, Partner and chair of the Cyber Security & Data Protection Law Group and Crisis & Risk Management Law Group.