eBay announced on Wednesday 21st May 2014 that they had suffered a significant breach of their user details database, which resulted in the personal details and hashed passwords of eBay users being compromised. It has since been revealed that the breach occurred between February and March 2014.
What Took So Long?
For a breach that took place months ago, the fact that eBay is only now asking users to change their passwords is extremely concerning. Normally, whenever a security breach occurs, it is usually expected that the affected service makes their users aware of it, so they can change their passwords, and keep an eye open for any issues.
Even though your initial investigation may lead you to believe that no personal data was compromised, it is always better to tell your users that you suffered a breach, and prepare them for the worst, rather than risk the level of condemnation that eBay has received due to it's poor handling of the incident.
Your users place a large amount of trust in your ability to keep their information safe. Every time you suffer a security incident...you lose a significant amount of any trust you have built up. How much that ends up hurting your profits, is directly related to the way you handle the incident.
While there may be legal reasons why you can't give your users all the details regarding any incident, not even telling them it has happened for months is a pretty big mistake to make. The sooner you reveal that you have suffered a security breach, the less time the individuals responsible have to use the information they have collected.
Given the fact that the majority of people tend to re-use the same passwords on multiple websites, the longer they believe their password is safe, the more danger they are in.
If you admit the security breach as soon as you discover it, you give your users a chance to get ahead of any issues that might result from them using that password elsewhere. This is a very important way to minimise any negative feeling your users may have.
Why Wasn't All Personal Data Encrypted?
eBay has stated that only the passwords stored in the compromised database were encrypted/hashed. My question (and that of several other security experts) is: why wasn't all the personal data encrypted?
eBay has said that they follow all data protection regulations regarding the storage of sensitive data like credit card numbers. The problem is, someone's name and address is also considered sensitive data (at least as far as the Data Protection Act is concerned).
The compromised database stored the names, addresses and dates of birth of all eBay's users. That information is all the vast majority of banks would require to prove you were the actual account holder.
Now I suspect I know the reason why eBay didn't encrypt all the data in that database: encryption is an expensive process, requires the server to devote significant time to processing the data, and maintaining a secure key store is a pain.
However, there are encryption-optimised hardware devices that can reduce the load on your servers, and make key management and distribution pretty painless.
Were eBay's Internal Security Policies Strong Enough?
The fact that this breach occurred due to the compromise of internal credentials makes me wonder how strong eBay's internal security policies are, and question effectiveness of their security training programmes.
Now I know that enforcing security policies often comes at the expense of usability, and that after several complaints, an IT department is likely to relax some of the controls (I've been in that position myself) - but this shouldn't apply to anyone in a position to directly access your database servers.
I have said many times on this blog that staff security training is your most effective weapon against any attack: if your staff know what a malicious individual is likely to do, they can stop them.
The problem is, very few organisations security awareness training goes far enough (if they indeed have any security awareness training programmes). They might tell new recruits about some of the more common threats during their induction training, but unless you continually refresh that knowledge (and update it as new attacks appear), your staff will very quickly forget what you told them.
Also, generic security awareness training won't fully protect your organisation, the programmes need to be tailored to your exact circumstances.
How I Think eBay Should Have Handled It
Firstly, this is my opinion, and is based in part on how similar incidents have been handled by other companies.
After discovering the breach, I would have issued a statement that alerted users to the possibility that their data had been compromised, and advised them to keep an look out for any unusual activity.
This may have been annoying for users, as no one likes being told to change their passwords - but it's better than leaving them under the impression that their data is safe while you investigate what was compromised. Those investigations are going to take a while, and during that time, the attackers will be attempting to crack any passwords they've stolen - and they will succeed in cracking and using quite a few before you realise they've got them.
I would then make sure that my password reset system hadn't also been compromised, and if necessary build a new one.
All in all, the only thing I would have done differently is change the time I notified users - which would have diffused some of the backlash that eBay has had, as people would at least have been able to act a lot quicker than they have been able to.
Agree with my comments? Disagree? Leave a comment below and let me know your thoughts.