eBay argued against stronger privacy breach penalties

eBay argued against stronger privacy breach penalties

Summary: Just prior to suffering its own massive customer privacy breach, eBay had argued strongly against the need for statutory responses to privacy breaches.

SHARE:

As eBay hastily informs its customers of its massive privacy breach, the company told the Australian Law Reform Commission that stopping reputation damage was enough of an incentive to protect customer data, and that statutory action against privacy breaches was unnecessary.

Overnight, eBay announced that it had been the victim of a "cyberattack" that saw its employee login credentials compromised between late February and early March, allowing access to eBay's corporate network, and the company's customer database containing its users' names, email addresses, physical addresses, date of births, and their encrypted passwords. eBay first became aware of the issue around two weeks ago.

The company today has begun asking its users to reset their passwords, but has said that there was no evidence at this time that there had beeen fraudulent account activity on eBay, however the information that could be obtained from the database could potential be used for identity fraud.

While eBay will be dealing with the ramifications of the breach over the coming weeks and months, the online retailer has argued strongly against statutory penalties being imposed on companies that breach their customers' privacy.

The Australian Law Reform Commission was tasked last year to review serious invasions of privacy in the digital era, and potential statutory causes of action against companies or individuals in cases of privacy breaches.

In a submission (PDF) to the inquiry, eBay's acting head of corporate affairs Sassoon Grigorian said that given the company's own approach to privacy, such an action "need not be considered at this point".

"Over the years, we have learnt that one of the keys to success is engendering consumer trust and confidence. Confidence is in great part built through consumers trusting that businesses will adhere to certain rules for protecting individual privacy; both those rules required by statutory principle and those followed by sound business practices. Trust in our privacy protections has enabled eBay to be successful in growing our businesses," Grigorian said in a submission in November.

"eBay Inc. recognises the responsibilities which come with handling the personal and private information of both individuals and organisations, requires all of its companies to adhere to strict standards of behaviour. We have sought to be a leader in the field of handling personal information."

Grigorian said that eBay has corporate rules in place to "adequately protect our users' personal information regardless of where the data resides."

Customers should be notified when there is serious risk of identity theft or fraud for financial gain, Grigorian said, but added that notification should not be required where potential harm is "nominal".

Today eBay said that the two-week delay in informing customers was a result of the company waiting until it had all the facts.

In its submission to the ALRC, the company said existing penalties in the Australian Privacy Act were sufficient to cover serious data breaches, and the reputational loss was "the most significant incentive" for organisations to prevent breaches.

Comment has been sought from eBay.

Following news publication of the privacy breach, users have reported difficulty accessing their password reset page due to the high traffic on the eBay website as a result of the breach.

Topics: Security, E-Commerce, Australia

About

Armed with a degree in Computer Science and a Masters in Journalism, Josh keeps a close eye on the telecommunications industry, the National Broadband Network, and all the goings on in government IT.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Translation ...

    .... we don't want to pay for our complete lack of care about costumer privacy.
    wackoae
  • ebay passwords

    Why the rush to change passwords if the breach is employee access. Employees don't get privileged access to passwords. They get access to customer records but not passwords.
    You could chabge your passswords but employee access gets right around it. Changing passwords achieves nothing.
    The media is beating this up the wrong way.
    warboat
    • You would hope

      But I've seen many back-office systems systems where passwords can be retrieved. Not good.
      Even more, where you can reset, or prompt for a new one on next login.
      Security question answers often aren't encrypted, so "lost password" can be used to gain access to someone else's account.
      Lots of damage can be done if you can have access to the back office.
      Boothy_p
      • but how does changing the password solve the problem?

        I agree with you but the issue is the sweeping assumption that changing passwords somehow protects from an admin security breach. Changing passwords achieves nothing in this situation because the admin didn't need user passwords to access user data.
        This situation needs to be rectified on the admin side, not user side.
        Media just took the FUD and ran with it.
        warboat
        • It doesn't

          I like the 2 factor authentication offered by many, with the text to your phone. Yes, it can be a bit of a pain in the backside, but if it's sent from a properly maintained and isolated system, can help increasing login security.
          I've some experience with implementing random number generators for gaming platforms, and these are kept under lock and key. Even from IT, and monitored by video, controlled from another section.
          No, nothings perfect from inside jobs, but steps can be taken....
          Boothy_p
        • It does, if...

          Changing the user password would help, if admin account that was compromised has been fixed. There are no details how the account was compromised. Did the admin write their password down? Did their write their password on the multi-factor token? Was it a social engineering attack?

          The database was compromised at a point in time. Therefore the malicious party has a list of user passwords from that point in time. Changing passwords makes that list of passwords less useful.

          My concern is how was the password fields encrypted? What cryptographic algorithm was used? Were they uniquely salted? Was key stretching applied?

          Cracking a password is easy, they just need to slow the process down, in order to alert users to change their passwords and force a strong password policy. Or better yet implement multi-factor for all users.
          hmm_complexity
  • biometrics anyone?

    just think: if you were using a biometric password such as a thumbprint or iris scan -- you could not change your password

    biometrics are about stamping out anonyminity and have nothing to do with security
    Mike~Acker
  • Breached in February and told about it in May?

    They really do need to look at their policy...
    Tinman_au