Another day, another company that has disclosed that one of its main databases has been hacked and user information has been compromised. So far eBay hasn’t divulged full details of the breach. Reportedly the attackers accessed about 145 million records. Now, the online auction company is urging its 128 million active users to change their passwords. The attackers were able to access everything from users’ full names and addresses to email addresses. But eBay asserts that the compromised database didn’t contain financial information, which the company encrypts anyway. The company also said PayPal users weren’t impacted. The breach, which is just the latest in a long list of security issues that have affected large enterprises with large customer bases, should teach us a lot about security, or the general lack of it, across the Web. The massive Target breach in December showed what can happen when huge databases containing customer information are breached and the data stolen. Reports about eBay demonstrate, once again, how even a huge Internet business, which should know how to defend itself against sophisticated cyber-attacks, can be compromised. This eWEEK slide show highlights what we can learn from this latest attack.
eBay Security Breach Delivers 10 Lessons for Enterprise IT Executives
By Don Reisinger
Never Use the Same Password on Multiple Websites
The same passwords shouldn’t be used on multiple sites. Engaging in such an activity is almost as bad as having no password at all. In its May 21 letter to users, eBay urged customers to change all passwords across all the sites they use, and to never use the same password for two different services. Having unique passwords for every site might take more effort to manage, but it’s a necessity in today’s insecure world.
Don’t Trust Any Company
No company can be trusted. Although there was a thought at one time that smaller firms were most likely to be affected by security breaches, now it’s clear that even the biggest companies in the world can get hit with major hacks. Therefore, it’s incumbent upon users never to trust a company with their data.
Expect to Be Hacked
It’s sad to say, but today’s Web users should expect to have their information stolen at some point in their lives. Considering hackers have been able to break into government data centers, retailer servers and, now, eBay, among many, many others, it’s practically impossible for anyone to be safe from being hacked, no matter what they do.
Financial Information Tough to Grab
There is perhaps a single bright spot in the eBay news: Getting credit card information isn’t simple. Target was able to keep credit card data encrypted and supposedly safe from hackers, and the same is true for eBay. At this point, financial data security seems to be working, at least.
Companies Aren’t Learning From Issues
At what point will companies start to learn from the hacks that have affected so many other firms? It seems that there’s a sense in the security community that just because one company was hacked, it won’t happen to another. It’s a false sense of security and it’s causing breaches that are wreaking havoc on companies across the globe.
The Enterprise Is Not Doing Enough
For enterprise IT decision-makers, all this news of data being hacked should be a wake-up call: You’re not doing enough. While many IT decision-makers might believe that their corporate data is secure and they have nothing to fear, it’s becoming increasingly apparent that believing that is a mistake. Assume you’re not doing enough with security, IT professionals, and maybe you’ll just get lucky and not get hacked.
Hackers Are Winning
The malicious hackers targeting companies around the globe are winning. And it’s about time someone said so. For too long, the security community has pretended that it can keep pace with malicious hackers. The truth is that it can’t, and it won’t, until it realizes that the hackers are better at what they do. We’ll never be safe as long as the malicious hackers are outpacing those folks who are supposed to be protecting us.
Companies Don’t See the Attacks Coming
It’s shocking to see that so few companies see attacks coming. Despite all the concerns with security and data breaches, firms aren’t doing things as simple as monitoring database access or server queries. This is basic security that companies aren’t doing because, first, they don’t spend enough money on it or, second, they don’t have the time to care. Following basic security policies might have stopped the eBay attack from happening.
They Don’t React Swiftly to Them
To make matters worse, once a flaw is exploited, companies are literally taking months to react. In fact, eBay admitted that the attacks occurred in late-February and early-March. Yet the company didn’t discover them until two weeks ago, and it took an additional two weeks for the company to inform the public. That’s embarrassing, and eBay has some serious explaining to do.
Answers Aren’t Solutions
The truth is that eBay’s response to its data breach—change passwords and don’t worry about your financial information—hardly inspires confidence. The same might be said for Target, which could only offer apologizes and credit monitoring. The answers the affected companies are providing aren’t solutions, they’re Band-Aids. At what point will we all realize that the affected companies should be providing us with real solutions to the problems we face—and not simply handouts to make it all go away?
Don Reisinger is a freelance technology columnist. He started writing about technology for Ziff-Davis’ Gearlog.com. Since then, he has written extremely popular columns for CNET.com, Computerworld, InformationWeek, and others. He has appeared numerous times on national television to share his expertise with viewers. You can follow his every move at http://twitter.com/donreisinger.