It seems like just yesterday that we were discussing data breaches -- oh wait, that's right, we were. And while yesterday's post was more forward-looking (planning for the worst), eBay's data breach, like Target's, is a fine example of what a company should not do.
Keeping quiet about a major breach? Didn't they learn anything from Target? And even now, when they're notifying consumers and forcing password updates, the company still isn't getting it right, with a password strength algorithm that is encouraging users to pick weaker passwords.
Back in February or March, hackers tapped into eBay's servers and made off with encrypted passwords (which could be useless, depending on the strength of encryption employed), as well as customers' names, e-mail addresses, home addresses, phone numbers, and dates of birth in a human readable format, reports Ars Technica.
Notice the date: "February or March." It's now almost June, and the company is just now letting us know?
Burying the Lede
It's not just the delay in notifying users -- it's the means employed. Ars notes that the notice was buried five clicks deep in eBay's site, and there was no mention of it on the front page or when users logged in. Today, the company added an "Important Password Update" notice to its front page, after being criticized widely by security experts and others.
Today's criticism of eBay, from Ars and others, is about the company's password strength testing algorithm, which is nonsensical.
Take the example provided by @digininja: Stlk/v/FqSx"lireFTzidyS/m. Even if you know nothing about password hacking techniques, that is a strong password. eBay called the 25-character password "weak," probably because it has no numbers.
Hackers often use brute force (trying every combination of characters possible -- bad for short passwords) or common word lists (bad for long "catorangefist" strings, or "$uperman" passwords). The provided example is 25 characters long, uses mixed case and special characters, and would take forever to crack.
Instead, the site prefers $superman1963, a much more crackable password that is rated as medium strength, reports Ars.
As the in-house source for "how screwed are we?" questions, your natural instinct in a data breach scenario might be to try to keep it under wraps. A short delay might even be a good idea, while you execute your finely-tuned data breach response plan that you came up with yesterday.
Get outside counsel for privilege, have them hire experts to patch the leak, then, once the exploit is closed, notify customers and force password updates if necessary. And if you're a multi-billion dollar company, please use an intelligent password strength meter.
Enjoy the latest legal news from our blogs? Keep up with the latest legal docs on Scribd.
- Need a Cybersecurity Refresher? Check Out SBA's New Online Course(FindLaw's In House Blog)
- Your Company's Data Breach May Be the Least of Its Problems (FindLaw's In House Blog)
- Cyber Security in 2014: Issue Spotting and Beyond (FindLaw's Technologist Blog)