eBay is facing a possible European investigation into the breach of its systems, following the launch of a joint probe by three US states into how the auction company handles security.
Details compromised in the breach, which were made public earlier this week included customers' names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. eBay hasn't said how many of its more than 145 million customers' details were compromised, however.
Talking to BBC Radio 5 live, the UK's information commissioner Christopher Graham said: "eBay is, on the face of it, a very serious breach." However, he added the commission will not investigate the company yet.
"You've got to make sure you're not foot-faulted or you'll get in trouble with the lawyers," Graham said.
One obstacle to launching a UK investigation is that eBay's European headquarters are in Luxembourg, according to the commissioner.
An ICO spokesman told the BBC that while millions of UK citizens were affected by the breach, "by taking the wrong action under the law now we risk invalidating any investigation". Nevertheless, according to the BBC, the ICO is working with European data protection authorities ahead of possible action against the company.
Two weeks ago eBay noticed that some employee log-in credentials were compromised and a subsequent investigation revealed that attackers had gained access to its customer database in February or March.
eBay hasn't, for example, said whether the passwords were encrypted or hashed, why it took so long to discover its database was compromised, and "how well equipped is an organisation to identify when data is being pilfered?"