UK Joins Investigation Of eBay Data Breach: Did Company Do Enough To Protect User Data?

The U.K. Information Commissioner’s Office on Friday became the latest agency to start a probe of eBay Inc. (NASDAQ:EBAY) to determine if the e-commerce giant did due diligence in handling its recent data breach. The massive breach, which compromised roughly 145 million user accounts worldwide, was discovered in early May and announced to the public on Wednesday.

“We’re certainly looking at the situation,” Commissioner Christopher Graham said on BBC Radio 5, explaining that the ICO will work with law enforcement in Luxembourg, where eBay Inc.’s European headquarters are located. An official investigation has not been launched.

The ICO joins similar investigations launched by the U.S. Federal Trade Commission, the Federal Bureau of Investigation and the states of Connecticut, Florida and Illinois. The agencies have not responded to questions about the nature of the investigations, but legal experts said similar probes have looked into whether the company lived up to industry standards of protecting consumers’ personal information.

“The authorities are going to look for reasonable security measures and precautions taken with consumer data, particularly with personal information and especially with any financial information,” Gregory Boyd, a partner at Frankfurt Kurnit Klein and Selz who runs the firm’s privacy and data security group, told International Business Times. “The regulatory bodies are going to investigate what happened and the level of security [in place] when it happened.”

Of particular interest will be the lack of encryption used to protect customer names, email addresses, physical addresses, phone numbers and dates of birth. Investigators will also analyze why it took eBay nearly three months to detect the hackers, how long it took to fix the breach and how long the company waited to notify authorities and customers.

“We have relationships with and proactively contacted a number of state, federal and international regulators and law enforcement agencies,” an eBay spokesperson said. “We are fully cooperating with them on all aspects of this incident.”

Boyd explained that these cases take thousands of work hours to fully understand, and that providing information prematurely can be harmful. Computer security experts told IBTimes that eBay's timeframe -- informing customers two weeks after detecting the hack -- was relatively quick.

“They have to figure out what happened, why did it happen, do something so that it won’t happen again and determine that it’s not still happening,” Maxim Weinstein, a security adviser for Sophos, said. “The fact that they were able to do that within two weeks is actually pretty impressive.”

There is no clear standard in the U.S. for what sort of security a company should have in place, primarily because the technology and sophistication of attacks is constantly evolving. At this point, there are too many variables to determine whether eBay is at fault.

“It’s one of the only crimes where the victim is commonly blamed,” Boyd said. “EBay most likely spends an enormous amount on privacy and data security, but they are also a very rich-looking target. If and when there is a breach, one of the first [questions is], ‘What did they do wrong?’”

However, the company may be at fault for not providing users’ personal information with the same sort of encryption security that it gives passwords. Commissioner Graham said that this is just the latest wake-up call for business to “realize that personal information is their plaything” and to take security more seriously.

European data protection watchdogs are meeting next week to discuss issues regarding privacy and security, and the eBay hack is likely to be high on their agenda.