eBay Hacked – Would you believe John Donahoe offered credit protection?
EventHorizon1984
22 May 2014
“You eat danger for breakfast”
“Would you believe lunch?” Zach Smart
“Don’t do that.” Chief Maxwell Smart
Get Smart (1995)
eBay INC made an interesting press release on 21 May 2014. eBay INC stated:
“SAN JOSE, Calif.–(BUSINESS WIRE)– eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.
Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.
Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.
The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.
Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBaypassword, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.”
A matter of fact, ‘don’t panic‘, ‘nothing to see here’ statement. Then came the scrutiny.
“No more secrets, Marty.”
Cosmo, Sneakers (1992)
The press release did not mention the extent of the “compromised” database. Although on 21 May 2014 eBay INC clarified:
““For the time being, we cannot comment on the specific number of accounts impacted. However, we believe there may be a large number of accounts involved and we are asking all eBay users to change their passwords,” eBay spokeswoman Kari Ramirez said.”
And on 22 May 2014 eBay INC provided more clarification:
EBay hack, 2nd largest in U.S. history, leaves questions unanswered
Chicago Tribune, Reuters, 22 May 2014
“EBay Inc’s description of how hackers got access to its entire database of 145 million user records leaves many questions unanswered as to how cyber criminals orchestrated what appears to be the second-biggest data breach in U.S. history.”
““They’ve been pretty tightlipped. They’ve barely provided any information. They should be more forthcoming about what happened,” said David Kennedy, chief executive of TrustedSEC LLC, an expert in investigating data breaches.
In particular, Kennedy wants to know why it took eBay three months to detect the intrusion.“
“Missed it by that much”
Maxwell Smart (Don Adams), Get Smart
“Computer security experts say the biggest breach was uncovered at software maker Adobe Systems Inc in October 2013, when hackers accessed about 152 million user accounts.“
“The day ain’t over yet…”
Curly, City Slickers (1991)
In eBay INC’s press release they promised, “Beginning later today, eBay users will be notified via email.” Has any reader received any email warning of the database breach? Apparently that email has yet to be sent.
“Some customers complained on eBay Community forums that they had not received much information about the breach from eBay and have yet to get notifications by email, which the company has promised to do.“
And what did the “145 million user”s affected by the database incursion immediately see?
U.S. states probe eBay cyber attack as customers complain
Reuters, 22 May 2014
“As of Thursday afternoon, eBay did not have information on the attack visible on its market home page, www.ebay.com.
“That’s really poor incident response,” said David Kennedy, a cyber forensics expert who is CEO of TrustedSEC LLC. “EBay should be held to a higher standard.”“
The eBay Hack: They Haven’t Only Hacked Your Security, They’ve Hacked Your Brand
Patrick Hanion, Forbes, 22 May 2014
“The eBay Hack” brings to mind the recent Target INC hack.
Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It
Michael Riley, Ben Elgin, Dune Lawrence, Carol Matlack, Businessweek, 13 March 2014
“The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target’s (TGT) security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores.”
“On Saturday, Nov. 30, the hackers had set their traps”
“Target stood by as 40 million credit card numbers—and 70 million addresses, phone numbers, and other pieces of personal information—gushed out of its mainframes.“
“More than 90 lawsuits have been filed against Target by customers and banks for negligence and compensatory damages. That’s on top of other costs, which analysts estimate could run into the billions.”
The time between hack and notification?
“Federal investigators warned Target of a massive data breach on Dec. 12.“
Note this is not Target INC notifying it’s customers. It’s the U.S. Government notifying Target INC.
Notification to consumers was much much later.
| 14 January 2014 |
|
Dear Target Guest,
As you may have heard or read, Target learned in mid-December that criminals forced their way into our systems and took guest information, including debit and credit card data. Late last week, as part of our ongoing investigation, we learned that additional information, including name, mailing address, phone number or email address, was also taken. I am writing to make you aware that your name, mailing address, phone number or email address may have been taken during the intrusion.
|
| I am truly sorry this incident occurred and sincerely regret any inconvenience it may cause you. Because we value you as a guest and your trust is important to us, Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014. |
| In addition, to guard against possible scams, always be cautious about sharing personal information, such as Social Security numbers, passwords, user IDs and financial account information. Here are some tips that will help protect you: |
- Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
- Delete texts immediately from numbers or names you don’t recognize.
- Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.
Target’s email communication regarding this incident will never ask you to provide personal or sensitive information.Thank you for your patience and loyalty to Target. You can find additional information and FAQs about this incident at our Target.com/databreach website. If you have further questions, you may call us at 866-852-8680.Gregg Steinhafel Chairman, President and CEO
Compare and contrast the actions and timeline of Target INC and CEO Gregg Steinhafel to eBay INC and CEO John Donahoe.
Time from breach to customer notification.
- Target Inc, customer emails, 1 month +
- eBay Inc, Press Release, 2-3 months
Message from CEO to customers.
- Target Inc, 1 month +
- eBay Inc, none
Credit protection.
- Target Inc, “Target is offering one year of free credit monitoring”
- eBay Inc, none
While eBay INC has stated,”no evidence of unauthorized access or compromises to personal or financial information”, one may or may not want to take that with a grain of salt.
“Someone posted a batch of emails, scrambled passwords, phone numbers and addresses of more than 12,000 people on the Internet, saying it was a sample of data stolen from eBay and offering to sell the full batch for 1.453 bitcoin, or a little more than $750.
EBay’s Miller said the information was not authentic.
Reuters spoke to six people whose phone numbers were included in that batch. While only four said they had eBay accounts, all of them said the data was correct“
If eBay INC can’t identify it’s own users, what assurance is there that eBay INC can identify the condition of it’s own data.
The fate of Target INC CEO Gregg Steinhafe?
Target’s CEO Steps Down Following The Massive Data Breach And Canadian Debacle
Forbes, 8 May 2014
“Target CEO, President and Chairman Gregg Steinhafel resigned from all his positions after extensive discussions with the board.”
“I’ve never seen worse corporate governance than eBay”
Carl Icahn, 5 March 2014
The fate of eBay INC CEO John Donahoe remains to be seen.
/*
“And because of current synergies, a lot of data is traded between eBay and PayPal.” JP Mangalindan, Fortune
“Why would you divide up the data?! Everyone is paying millions to get to the data. Why would you divide up the data?”
John Donahoe, 10 March 2014
/*
Technorati Profile
EventHorizon1984 Log
//
Photo from Nature.com
Ghost in the Shell, Masamune Shirow
Ghost in the Shell, Masamune Shirow
Event Horizon Log 
Ebay, PayPal, Hewlett-Packard – Breaking Up Is Hard.
Published 8 October 2014 Amazon , Business , Commentary , eBay , eBay Spotlight , PayPal Leave a CommentTags: Alibaba, Amazon, American Express, eBay, Hewlett-Packard, John Donahoe, Margaret Whitman, MasterCard, Meg Whitman, Monkey sees monkey does, PayPal, Ronald Barusch, The Wall Street Journal, VISA
Ebay, PayPal, Hewlett-Packard – Breaking Up Is Hard.
EventHorizon1984
8 October 2014
“Breaking Up Is Hard To Do”
Neil Sedaka, Howard Greenfield, 1962
Convention wisdom about the 2015 split of eBay INC, says the separate parts will be quickly sold off. Might not happen quickly.
In The Wall Street Journal article, “Dealpolitik: EBay, PayPal Takeover Talk May Be Premature”, Ronald Barusch makes this interesting point.
“eBay probably has massive gains on its PayPal shares that would trigger huge taxes if the deal didn’t qualify as a tax-free spin-off.
For up to two years after the spin-off, an acquisition of either PayPal or eBay (regardless of which company is spun off) could destroy the tax-free status of the deal and trigger an enormous corporate tax. In spin-offs, the agreements usually make the company that’s taken over bear the risk of that tax.
Such an agreement operates as a kind of poison pill of its own: Anyone trying to take over one of the companies would indirectly be responsible for that big tax bill”
The short version being:
“The bottom line is that those expecting a quick deal following the spin-off may be jumping the gun.”
Of course with eBay INC CEO John Donahoe leading the separation plans, there is no guarantee that a monetarily smart long-term plan will be made. I.E. shareholders could be stuck with a huge tax bill, while John Donahoe skates.
“A monkey could drive this train.”
Margaret “Meg” Whitman, during her tenure as eBay INC CEO.
“Monkey sees, monkey does.”
Alexander Boot and Shoe Company, 1892
On the heals of John Donahoe splitting eBay INC, Margaret “Meg” Whitman is leading the charge to split Hewlett-Packard. However not into “Hewlett” and “Packard.”
Hewlett-Packard to split into two public companies, lay off 5,000
October 6, 2014
Supantha Mukherjee and Edward Chan
“Hewlett-Packard Co said it would split into two listed companies, separating its computer and printer businesses from its faster-growing corporate hardware and services” … “HP said its shareholders would own a stake in both businesses through a tax-free transaction next year.” … “Whitman, who will be CEO of HP Enterprise, the business that will sell computer servers and networking gear and data storage to businesses.”
Perhaps the ‘monkey see, monkey do’ reference is not entirely fair.
Meg Whitman is planning “a tax-free transaction” and will be CEO of one of the split companies. John Donahoe has not mentioned “tax-free” and will not be CEO of either the new eBay or PayPal.
Plus:
Meanwhile, at the close of market. 8 October 2014:
“I didn’t think eBay was right for me.”
John Donahoe, 17 June 2013
Indeed.
/*
Addendum 9 October 2014
No one here has received anything directly from eBay INC, about their separation into “eBay” and “PayPal”.
Whereas days after the public announcement, Hewlett-Packard sent this Today:
We’re no fan of Meg Whitman, but Hewlett-Packard does keep it’s customers informed.
eBay INC, ‘not so much.’
/*
“No sequel for you.”
Jack Slater, Last Action Hero (1993)
//