Cyber Attack Security

The company said it has seen no indication of increased fraudulent account activity on eBay, evidence of unauthorized access, or compromises to personal or financial information for PayPal users.

“After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats,” eBay said in a statement. “However, changing passwords is a best practice and will help enhance security for eBay users.”

But several factors still worry cyber security experts – including the fact that the breach was only detected two weeks ago, apparently giving the hackers plenty of time to exploit the company network. Passwords, even though encrypted, are still be subject to so-called “brute force” password cracking, cyber experts say. Also, consumers often use the same password across several sites, increasing the vulnerability. As well, the large amount of exposed personal information could still be a potential goldmine for identity thieves, they say.

The eBay breach follows on the heels of the April disclosure of the “Heartbleed” vulnerability in web-based encryption systems that potentially exposed about half of all Internet websites to hack attacks. Just last December, Target Corporation revealed a hack that potentially affected 110 million customers.

“This hack is particularly significant because eBay has a reputation for taking very strong security measures,” says Michael Sutton, vice president of security research for Zscaler, a cloud-based cyber-security firm with headquarters in Sunnyvale, Calif. “What’s been revealed so far suggests a targeted attack directed at specific employees, possibly a phishing attack. It’s got to be of concern that it was only discovered a couple of weeks ago.”

Companies have tended to rely on firewalls and other means to create a cyber fortress. But this hack shows is that it’s just about impossible to keep intruders out – and that the key is monitoring networks constantly to detect any intrusion quickly before massive damage can be done, Mr. Sutton says.

It also suggests a sea-change has occurred – and may still be occurring – in how companies deal with such hacks. Until a few years ago, most companies did everything they could to bury such hacks, rather than have them become public. But data disclosure laws – and the admission in early 2010 by Google that it had been hacked by Chinese cyber spies – has helped companies fess up to cyber breaches and forced them to improve their cyber security.

“That’s the silver lining here,” Sutton says. “Partly as a result of Google doing what it did, we’re seeing a lot more companies admitting they’ve been hacked. They know it’s better to get the bad news out and deal with it. But it's still a front page headline so CEO feet are now being held to the fire on cyber security – and that’s also forcing companies to improve their security posture.