Regulatory trouble is brewing for eBay on both sides of the Atlantic, with watchdogs making plans to investigate how a recent security breach occurred.
eBay is facing a possible European investigation into the breach of its systems, following the launch of a joint probe by three US states into how the auction company handles security.
Details compromised in the breach, which were made public earlier this week included customers' names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. eBay hasn't said how many of its more than 145 million customers' details were compromised, however.
Talking to BBC Radio 5 live, the UK's information commissioner Christopher Graham said: "eBay is, on the face of it, a very serious breach." However, he added the commission will not investigate the company yet.
"You've got to make sure you're not foot-faulted or you'll get in trouble with the lawyers," Graham said.
One obstacle to launching a UK investigation is that eBay's European headquarters are in Luxembourg, according to the commissioner.
An ICO spokesman told the BBC that while millions of UK citizens were affected by the breach, "by taking the wrong action under the law now we risk invalidating any investigation". Nevertheless, according to the BBC, the ICO is working with European data protection authorities ahead of possible action against the company.
With the Target breach still fresh in the US, states have been quick to respond to eBay's Wednesday disclosure, with Connecticut, Florida, and Illinois planning to jointly investigate the eBay breach, Reuters reported yesterday.
Two weeks ago eBay noticed that some employee log-in credentials were compromised and a subsequent investigation revealed that attackers had gained access to its customer database in February or March.
Australian security and password expert Troy Hunt has drawn up a list of questions for the company over the details omitted from its disclosure.
eBay hasn't, for example, said whether the passwords were encrypted or hashed, why it took so long to discover its database was compromised, and "how well equipped is an organisation to identify when data is being pilfered?"