eBay hack triggers US/EU investigations as database leak denied
The eBay hack has brought the online auction site under international investigation, with the company's handling of personal data being questioned by regulators in the US and abroad. eBay announced earlier this week that its database of user details – including names, addresses, email and phone numbers, and date of birth – had been hacked into and records stolen. Now, investigators are looking at whether eBay mishandled those records.
In the US, three states have already weighed in with intentions to conduct a joint investigation. Illinois, Connecticut, and Florida will work together to examine whether eBay could have done more to protect its servers.
eBay had already confirmed it was working with the FBI and other investigators to figure out the cause of the hack, which is believed to have taken place in mid-Q1 this year.
In the UK and Europe, meanwhile, the UK information commissioner said he was working with counterparts in Europe on what form an investigation might take. The UK Information Commissioner's Office (ICO) blamed insufficient data protect laws for not being able to swing into action sooner, the BBC reports, instead needing to work with a team in Luxembourg, which is where eBay bases its European operations.
"There's millions of UK citizens affected by this, and we've been clear that we're monitoring it, but by taking the wrong action under the law now we risk invalidating any investigation" ICO spokesperson
The auction site has faced criticism both for how it handled the aftermath of the hack, sending out emails suggesting users change their passwords, which some have warned could lead to a rise in phishing attacks as unscrupulous cyber-criminals take advantage of the confusion and send out fake messages.
The quantity of data held on each user has also been a concern for some, questioning why the site needs anything more than the very basics. If those details really do need to be kept, experts argue, then eBay should be giving them the same encryption protection as it does passwords.
"Since these pieces of information can be combined to create a complete personal identify, this security breach has raised the risk of identity theft to a high level for the millions of individuals affected," Jim Vogt of security startup Zettaset pointed out. "Ideally, personally-identifiable information like that should also be encrypted to ensure a high level of data protection for consumers."
However, eBay has also denied that a supposed copy of its database up for sale for 1.453 Bitcoin is legitimate data. Reuters, however, found that several of the people included in the sample set were real and that their other details were correct, though it's possible that the information could have come from a different hack.