Hacked eBay exposes itself to another attack
By Richard Beales
The author is a Reuters Breakingviews columnist. The opinions expressed are his own.
EBay just exposed itself to another attack. Carl Icahn buried the hatchet with the online auctioneer’s board before it came out that records of 145 million customers got hacked. That means there’s an opening for another uppity investor to pressure eBay’s chief executive and directors.
After all, Gregg Steinhafel, chief executive of retailer Target, just lost his job following a cyberattack affecting up to 110 million customer records. The episode damaged the company’s reputation and is costing it money, too, as Target tries to keep shoppers sweet.
EBay said PayPal, which Icahn had wanted spun off, wasn’t affected and that financial information wasn’t taken. And it’s not clear what systems the company had in place to prevent and detect intrusions. In this case, statements from $66 billion eBay suggest that, as security experts say is often the case, the breach involved hackers stealing genuine employee login credentials.
Target’s experience late last year was just one high-profile warning. According to Symantec, eight breaches in 2013 exposed more than 10 million people’s data, up from one the year before and five in 2011. So there’s little excuse if eBay boss John Donahoe failed to have state-of-the-art defenses in place. A tech company running an online-only business with the likes of venture capitalist Marc Andreessen on the board should understand the threats and the latest responses.
Participants at a Securities and Exchange Commission roundtable in March are among those who have noted the need for corporate boards to pay close attention to online threats. EBay last March recommended investors vote against a shareholder resolution requiring it to disclose more about privacy and data security risks, saying it already had a “best in class” privacy program and that its audit committee already monitored security.
Even the best systems aren’t foolproof, of course. And although eBay’s statements suggest it took nearly three months to detect the compromised credentials and then another two weeks or so to notify customers – hardly a rapid-seeming response – it’s possible the company did all it reasonably could.
Either way, it puts Donahoe and his directors on the defensive again. Moreover, serious questions about the security of eBay’s networks could easily cast a shadow over PayPal, too. That just might support the case for separating the operation – just as Icahn wanted.