The hacker(s) were able to gain access to eBay’s network through an employee’s login credentials and gain access to information such as usernames, passwords, physical addresses, phone numbers, and date of birth. Passwords were also available to the hacker(s), however the likelihood of them being compromised is low because the passwords were in an encrypted form.
Jack Britton, IT Security Consultant with Redspin says “the bigger a company is, the more assets they have and depend on, so it’s hard to tell exactly how the eBay security breach happened.” The more complex an organization network, the more hiding places there are for black hat hackers.
He goes onto say “To effectively maintain and stay on top of an organization’s assets, it’s necessary to create small teams who are responsible for managing small segments of the enterprise.” Creating a communication structure top down and bottom up to report on the status of such assets is key for an organization to prevent future data breaches.
Due to the eBay security breach, eBay is requesting users to change their passwords as there may be a chance that the hacker will access a user’s eBay account or other accounts where the same password was used. Even though financial information has not been taken, it is important to note that given the most recent breach at Target, eBay is now in the spotlight and is under a magnifying glass on how they will handle crisis management.
Finally, what happened at eBay and Target will happen again at a large retailer, healthcare or financial institution. The lessons we can learn here is to:
1. Review policies to determine if they match up to what the organization is doing.
2. Implement or change procedures and controls as threats and an organization’s environment is always changing.
- Consider adding a resource who understands the five phases of an ethical hacker to think like a hacker and find possible entry points into an organization.
- Take inventory of the organizations assets and understand what each asset is capable of doing before implementing new technology.
- Internal domains, policies and/or business units
4. Remediate findings that are of high risk to the organization.
5. Test to ensure new procedures and policies are effective.