Is eBay’s recent Data Breach the Biggest Data Breach in U.S. History?

May 22, 2014
« Next Previous »

Maybe not, but close enough to warrant attention.

Biggest Data Breach in U.S. History

By Fernando M. Pinguelo and Daniel Sodroski

As early as in February 2014, eBay, Inc., a multi-billion dollar company that services and manages one of the world’s largest user-to-user auction websites, had significant customer information stolen.  Cybercriminals who gained access to the company’s internal and customer databases managed to obtain customer names, addresses, email addresses, phone numbers, birth dates, and user passwords—extremely sensitive information, to say the least.  Reportedly, credit card information and online payment information, such as one’s PayPal account, were not compromised.

On May 21, 2014, eBay issued a public statement, urging its users to change their passwords.  While the auction giant did not disclose how many of its 148 million registered users were affected, the eBay assured that there has yet to be any malicious activity on any eBay accounts (i.e., the passwords acquired have not yet been used) and that the passwords stored in eBay’s database are encrypted and virtually impossible to decipher.  Regardless, it behooves online customers to change their passwords to prevent their accounts from being hijacked.

More interestingly, eBay discovered the breach two weeks ago.  Although not the biggest data breach in U.S. history, the company began immediate forensic proceedings to uncover the damage incurred by the cyber theft, leaving many to ponder why the eCommerce corporation delayed notice to customers and the public at large.  Accounts may be salvaged due to eBay’s crisis management strategy; however, the cyber thieves still walked away with critical and private customer information.  Cyber criminals who have access to the stolen email addresses, home addresses, and phone numbers may attempt to use such information to extract even more private information from eBay users.  Therefore, eBay users should be on the lookout for such unsavory attempts.

For more information, please contact Fernando M. Pinguelo, Partner and chair of the Cyber Security & Data Protection Law Group and Crisis & Risk Management Law Group.