Hacked eBay exposes itself to another attack

May 24, 2014

By Richard Beales

The author is a Reuters Breakingviews columnist. The opinions expressed are his own.

EBay just exposed itself to another attack. Carl Icahn buried the hatchet with the online auctioneer’s board before it came out that records of 145 million customers got hacked. That means there’s an opening for another uppity investor to pressure eBay’s chief executive and directors.

After all, Gregg Steinhafel, chief executive of retailer Target, just lost his job following a cyberattack affecting up to 110 million customer records. The episode damaged the company’s reputation and is costing it money, too, as Target tries to keep shoppers sweet.

EBay said PayPal, which Icahn had wanted spun off, wasn’t affected and that financial information wasn’t taken. And it’s not clear what systems the company had in place to prevent and detect intrusions. In this case, statements from $66 billion eBay suggest that, as security experts say is often the case, the breach involved hackers stealing genuine employee login credentials.

Target’s experience late last year was just one high-profile warning. According to Symantec, eight breaches in 2013 exposed more than 10 million people’s data, up from one the year before and five in 2011. So there’s little excuse if eBay boss John Donahoe failed to have state-of-the-art defenses in place. A tech company running an online-only business with the likes of venture capitalist Marc Andreessen on the board should understand the threats and the latest responses.

Participants at a Securities and Exchange Commission roundtable in March are among those who have noted the need for corporate boards to pay close attention to online threats. EBay last March recommended investors vote against a shareholder resolution requiring it to disclose more about privacy and data security risks, saying it already had a “best in class” privacy program and that its audit committee already monitored security.

Even the best systems aren’t foolproof, of course. And although eBay’s statements suggest it took nearly three months to detect the compromised credentials and then another two weeks or so to notify customers – hardly a rapid-seeming response – it’s possible the company did all it reasonably could.

Either way, it puts Donahoe and his directors on the defensive again. Moreover, serious questions about the security of eBay’s networks could easily cast a shadow over PayPal, too. That just might support the case for separating the operation – just as Icahn wanted.

Post Your Comment

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/