Hacked eBay exposes itself to another attack
By Richard Beales
The author is a Reuters Breakingviews columnist. The opinions expressed are his own.
EBay¬†just exposed itself to another attack. Carl Icahn buried the hatchet with the online auctioneer‚Äôs board before it came out that records of 145 million customers got hacked. That means there‚Äôs an opening for another uppity investor to pressure eBay‚Äôs chief executive and directors.
After all, Gregg Steinhafel, chief executive of retailer Target, just lost his job following a cyberattack affecting up to 110 million customer records. The episode damaged the company‚Äôs reputation and is costing it money, too, as Target tries to keep shoppers sweet.
EBay said PayPal, which Icahn had wanted spun off, wasn‚Äôt affected and that financial information wasn‚Äôt taken. And it‚Äôs not clear what systems the company had in place to prevent and detect intrusions. In this case, statements from $66 billion eBay suggest that, as security experts say is often the case, the breach involved hackers stealing genuine employee login credentials.
Target‚Äôs experience late last year was just one high-profile warning. According to Symantec, eight breaches in 2013 exposed more than 10 million people‚Äôs data, up from one the year before and five in 2011. So there‚Äôs little excuse if eBay boss John Donahoe failed to have state-of-the-art defenses in place. A tech company running an online-only business with the likes of venture capitalist Marc Andreessen on the board should understand the threats and the latest responses.
Participants at a Securities and Exchange Commission roundtable in March are among those who have noted the need for corporate boards to pay close attention to online threats. EBay last March recommended investors vote against a shareholder resolution requiring it to disclose more about privacy and data security risks, saying it already had a ‚Äúbest in class‚ÄĚ privacy program and that its audit committee already monitored security.
Even the best systems aren‚Äôt foolproof, of course. And although eBay‚Äôs statements suggest it took nearly three months to detect the compromised credentials and then another two weeks or so to notify customers ‚Äď hardly a rapid-seeming response ‚Äď it‚Äôs possible the company did all it reasonably could.
Either way, it puts Donahoe and his directors on the defensive again. Moreover, serious questions about the security of eBay‚Äôs networks could easily cast a shadow over PayPal, too. That just might support the case for separating the operation ‚Äď just as Icahn wanted.