Fallout from eBay cyber-attack - One week on

By Dr. Guy Bunker @guybunker

I was kindly invited to speak with BBC business reporter Steph McGovern last week on BBC Breakfast News on the eBay cyber-attack, further to commenting on the story in the national and technology media. As well as getting my 15 minutes of fame, what struck me (as I sat in the green room!) was how these breaches are now becoming almost a daily occurrence.

Guy on BBC Breakfast
Appearing on the BBC Breakfast News TV programme
last week with Business Correspondent Steph McGovern

eBay is now under investigation, and rightly so by various governments across the globe. It is being investigated by the Federal Trade Commission in three US states, Connecticut, Florida and Illinois. As well as the US, the UK’s ICO is also investigating it’s adherence to data protection regulations as well as how it handled the situation following the attack. I expect there will be more to follow based on the press the event received in other parts of the world.

There was a delay from eBay in the awareness of the attack itself and then a further delay (once it knew its user’s accounts had been potentially compromised) in communicating news of the attack to its 230 million users. Many of the users, if not all, found out about the attack through the media and gleaned advice as to next steps (i.e. what to do) from people like me! While I appreciate that it took time for eBay’s servers to deploy the necessary emails to the hundreds of millions of its customers – no mean feat – it could and should have been conducted more efficiently, after all there were millions of individuals reputations at stake.

As I said to Steph in the interview, the fact that there was such a delay from eBay implies a lack of control over its critical information (it’s our information really, which we provided to them in good faith as users of their service); hackers will always locate a weak point to attack which, in this case was from the Enemy Within, intentionally or unintentionally. Unless the right safeguards, including policies and technology, are put into place to mitigate such risks, the critical information of all stakeholders in an organisation- including its users- will be at risk.

The effective remediation, from a user perspective is to change passwords – which sounds simple. Having met with further media this week to discuss Clearswift, eBay and other industry news, the password discussion came out at the top of the conversational agenda. There is certainly a ‘password fatigue’ amongst the nation – the research that Clearswift commissioned YouGov to undertake, 24 hours after the attack was made public, found over half (52%) of eBay users hadn’t changed their passwords (but were intending to) but even more worrying was that over a tenth (12%) of users hadn’t changed their passwords, and weren’t intending to! A straw poll of individuals who had tried to change their passwords had had trouble in doing so, and several had given up trying, citing the fact it was too difficult to find one which was memorable and fitted all the criteria required.

It’s clear that the password issue is here to stay, so we must find a way to make them work for us, in both our professional and our personal lives. One thing we have talked a lot about this week is employing passphrases rather than passwords to tighten the ring of defence. Passphrases are typically longer than passwords, for added security, and contain multiple words that create a memorable phrase. Simple character substitution can then be used to make it tough to crack. A passphrase which is 15+ characters long can be just as easy, or easier, to remember than an eight character word which has been augmented with odd characters to make it fit the criteria.

There is still a challenge around what applications allow and don’t allow to be a part of the password. It would be useful if there was a standard – but there isn’t. In general, steer clear of ‘ ‘ (spaces), ‘.’ (full stops) and square / curly brackets! Depending on how and where you use the password, avoid currency signs, a US keyboard doesn’t have ‘£’ on it!

Since the eBay attack (was it really only last week?), more cyber-attacks have been announced, from Spotify and just yesterday Office shoes, albeit on a much smaller scale. Both companies are in the process of asking certain users to change their passwords as a precaution. It’s clear then that the passwords issue is here to stay and we all must become more responsible for protecting our own information and leave nothing to chance. As I commonly say, it’s not a case of if, but when, and I’m in no doubt that further breaches are on their way, probably by the time you finish reading this article.