The hack attack that caught eBay napping

US online giant eBay has joined the burgeoning list of companies finding out that spending millions on securing their information won't necessarily stop hackers.

The company has confirmed that customer email addresses, encrypted passwords, birth dates and mailing addresses have been pilfered in an attack carried out between late February and early March.

If you are an avid user of eBay you'd better change that password, and given there’s a good chance that many of us continue to use the same passwords linked to the same emails on other platforms, it's probably a good idea to give them a tweak as well.

While no financial information has been stolen (not that we know of anyway), eBay shouldn’t be let off the hook according to Rik Ferguson, Global VP Security Research at Trend Micro.

Ferguson has taken a bat to eBay in his latest blog post, saying that the breach raises a number of questions -- such as why was so much sensitive data stored in one single database; why was it not encrypted; and if encrypted, were adequate authentication systems in place?

They are all pertinent questions and ones that have become woefully familiar after every headline-grabbing breach. If a single compromise of credentials is enough to gain access to the corporate network, then what’s the point of spending money on robust perimeter defence?

Just how much of the money is going down the drain is difficult to gauge but global security company FireEye says that data from the more than 1600 network appliances it has deployed in real-world settings suggests that 97 per cent organisations had been breached, meaning at least one attacker had bypassed all layers of their defense-in-depth architecture. 

The eBay attack also brings attention to the issue of disclosure.

High-profile hacks are embarrassing and they hurt brand equity; yet perhaps a company is better off coming clean from the word go rather than trying to fix things afterwards. An eBay Australia spokesperson told Business Spectator that the company was still in the process of notifying all users through email, on its website and via other marketing communications channels.

UTS fellow Rob Livingstone says that managing data breaches is no trivial task and many remain hidden from sight for a long time.

“Data breaches are now a daily occurrence, and it’s only the major breaches that are detected and reported by organisations who have a moral or legal obligation to advise their stakeholders of a breach having occurred,” Livingstone says.

While getting users to change their passwords is usually the first port of call for a company once a breach has been detected, most of the damage has already been done.

Livingstone, who also runs his own IT advisory practice, says that asking users to change passwords after a major data breach -- as in the case of eBay -- is a classic example of “closing the gate after the horse has bolted".

One key deficiency is the fact that security is seen simply as an IT problem. Lack of accountability is a major pitfall and the IT department as the gatekeeper mentality is still quite pervasive.

Information security is everyone’s responsibility in the organisation and Livingstone says that expecting the IT department to have sole accountability over security on behalf of the entire organisation is a recipe for failure.

Securing IT assets does need a new approach and it can’t just be about implementing so-called impregnable architecture. As Ferguson points out, effective security should focus less on keeping attackers out permanently and more on putting systems and processes in place that aid discovery and quick reaction to an intrusion.