Another data breach is making headlines, as eBay.com has revealed that the passwords for its accounts were recently compromised. The peculiar thing about this breach, however, is the way eBay communicated – and did not communicate – the breach to its users.
If you visited eBay.com on the morning of May 22nd, a banner would have greeted you on the homepage – acknowledging that a data breach had occurred and advising users to immediately change their passwords. But if you visited the homepage that evening, you would find no mention of a breach.
That morning, I logged onto eBay myself and changed my password (after almost ten minutes of trying to figure out how); that evening, I found no indication of anything abnormal at eBay.com.
According to coverage from Reuters, Connecticut, Florida, and Illinois (alongside the Federal Trade Commission) have initiated a joint investigation of eBay’s security practices in light of the recent breach. Naturally, one does not have to look far to find indignant customers on forums and social media – many eBay users did not receive an email about the breach and think that a temporary banner on eBay’s homepage is not an inadequate response. Many customers do not visit eBay.com daily, and several online posts indicate that users would have preferred an email to a homepage notification.
The situation highlights the delicate nature of notifying customers following data breaches; companies – especially household names like eBay – should develop responses and have written procedures for handling breaches before they occur. Given the recent rise of breaches, it seems wise to plan for these not-so-unlikely situations.
Target is still reeling from its breach in 2013, so eBay likely has a difficult road ahead. With personal addresses, credit card numbers, and plenty of competition, the user-to-user corporation will have to prove the security of its information – or risk suffering significant financial consequences like Target has.