Cyberattacks on customer information are becoming an increasingly common corporate issue.
UK shoe retailer Office is the latest company to report to customers that it has fallen victim to a cyberattack. Dominating the news though is eBay, which has come under immense criticism from authorities and security experts following a cyberattack in which up to 145 million customers'' data may have been stolen.
The breach occurred in late February or early March of this year, but was only detected by the company last month. Customers'' names, email and postal addresses, phone numbers and dates of birth were stolen, as well as their passwords. While passwords were encrypted, there is limited information on how this information was stored, and whether the level of encryption is strong enough to withstand decryption efforts by hackers.
Initial reports suggest that hackers accessed the data after stealing eBay staffs'' usernames and passwords, and using those to access customers'' personal information. As well as the justified concern over eBay''s lack of internal security measures, questions are being asked of eBay''s response in the aftermath of the breach. eBay''s first warning to customers appeared on its scarcely used corporate website eBayinc.com. eBay later posted a statement to PayPal''s site stating only that eBay users were advised to change their passwords, but offering no further explanation. This caused further confusion to users, who understandably assumed that their PayPal accounts had also been affected. While eBay has now posted a note to eBay.com encouraging users to change their passwords, it has faced heavy criticism for its lack of immediate email contact with users once the breach had been revealed.
A number of investigations are now underway as to how such a serious data breach was allowed to occur. As eBay are an American company, the security breach falls under the remit of the Federal Trade Commission. eBay''s European headquarters are based in Luxembourg, and therefore the Luxembourg data protection authority are leading the investigation in Europe. At this stage, despite millions of UK consumers being affected by the breach, it is not yet clear whether there has been a breach of the Data Protection Act. "So far our work has been offering assistance to Luxembourg, and providing advice to consumers", read a statement from the Information Commissioner''s Office. "By taking the wrong action at the wrong time, we risk undermining any investigation. What we can be sure about is that if there has been a breach of the Data Protection Act, we''ll act firmly."
For consumers, the advice is clear; vary your passwords between different online services and ensure that you opt for strong combinations as opposed to more simple patterns of letters and numbers. It is however, the responsibility of the companies whose services we are using to ensure that our data is kept secure.
For businesses storing customer data online, extensive security measures need to be taken and clearly an internet giant such as eBay should be held to the highest possible standard of online data protection. While smaller companies may not be expected to take quite the same measures, it is no less important for them to ensure that the data they hold is effectively protected. As well as securing customer data using the appropriate systems and encryption software, it is crucial to ensure that staff are trained in managing data and, should the worst happen, that a plan of action is in place to mitigate any risk to the customer and reputational damage to the business. When we look across the Atlantic at the fallout from the data breach suffered by Target Corp. last December we see that not only does such a breach result in millions being spent to mitigate the breach, but that it will also cost senior executives their jobs and impact on profits, which could potentially cripple the business.