Many lasting ramifications for the industry have yet to emerge from the massive data breach disclosed last week at eBay, the internet auction and e-commerce site. The data compromise affected eBay’s entire user database, and among the data lost were usernames, contact information and encrypted passwords.  President of eBay Marketplaces Devin Wenig has sent out an email to the site’s users urging them to change their passwords immediately, adding “We have no evidence that your financial information was accessed or compromised.  And your password was encrypted.”

How receptive eBay’s users are to this loss of information remains to be seen, but it does mark the latest in a line of online breaches that has elevated attention on corporations and data loss.

As a result of continued data breach incidents like Target and Michaels entering into the public consciousness, the industry is in a precarious position where public images have taken a bruising.  Facing brand disgrace, the industry is witnessing more executives coming under fire it relates to security related issues.  In the case of retail giant Target, the massive breach that company endured became a factor in the resignation of its CEO Gregg Steinhafel.  Last week, the credit monitoring service LifeLock, under a number of company performance-related and regulatory pressures, saw its CEO act to pull its app and wipe all user data in response to private data risks found within the app itself.

Maty Siman, Chief Technical Officer of Checkmarx, which markets a code analysis solution that finds security vulnerabilities in an application’s source code, isn’t surprised by the eBay data breach, saying:

“It is not surprising that eBay’s site was breached, and attacks like this can definitely be considered ‘the new normal’, as we’ve seen the last few weeks. Major organizations are compromised on a daily basis, jeopardizing a huge amount of sensitive user and company information.”

Once more details of the breach are discovered, a better path will emerge towards what could have been done to avoid this problem.  One component that Siman advises could help in these cases is to proactively protect digital assets from the outset by integrating the examination of source code in the search for vulnerabilities.

Could eBay have done something better?

Though it is still early, it is being reported that the eBay hackers used a small number of privileged access accounts in gaining access to the entire user database.  This tidbit of information indicates these hacked accounts were likely targeted for their elevated value.  eBay’s environment is quite mature from a security standpoint, making this breach all the more worrisome.

During my personal experience as a contractor at eBay some years ago, the environment was designed with extremely specific account restrictions, with least privileged access configured throughout, and limited access to an employee’s working hours in some cases.  Any environment that integrated this level of security focus for sensitive systems would probably extend this focus on some level across all systems.  Even the most comprehensive systems have weaknesses, and it is often narrowed down to the human element.  eBay has implemented great security practices in the past, but even that has been proven to have fallen short.

As far as the data taken, encrypted passwords taken in the breach could possibly be decrypted offline, exposing the accounts to access by the hackers.  The fact that users commonly recycle passwords over and over on other sites means the threat from decrypting these passwords is still considerable.  The unencrypted information that was accessed makes up another threat, as the names, addresses and dates of birth could be used in identity theft.

Anytime passwords are in question, the call for multi-factor authentication will probably enter the conversation.  Typical multi-factor site authentication schemes involve texting a code to a phone, basically creating a physical token that is utilized in the authentication chain.  It is unknown if eBay will go down this route that other companies like Twitter and Google have explored.

Will the industry reset?

 .

In the meantime, four states – California, Connecticut, Florida and Illinois, along with the European Union (EU) have lined up to investigate the breach, how to protect consumers that may have been affected and to discover what possible fines may be in store.

It has become a common company response in these incidents to offer credit monitoring and protection services to potentially affected customers.  While this has become a de facto minimum, some may be wondering if we’re seeing a repeat in case after case and frustrations could be on the way up.  Witnessing this current trend of executive visibility and increased investigations, it may not be long before new legislation and regulations follows.

photo credit: brianc via photopin cc