Cyber thieves have struck again, this time at eBay Inc. — proving once more that the World Wide Web is still a little Wild Wild West.
The e-commerce giant said Wednesday that cyber attackers compromised employee log-in credentials, gaining access to a database with encrypted passwords as well as customer names, e-mail and physical addresses, phone numbers and dates of birth.
The scope of the theft is sweeping. EBay, which enabled $205 billion in sales last year, has 145 million active buyers and advised all of its users to change their passwords.
Such cyber attacks are becoming a way of life in retail, stirring concerns from corporate suites to the halls of Congress.
Just before Christmas, Target Corp. said it had been hit with an attack that was ultimately shown to have involved the personal data of more than 100 million consumers. The attack and Target’s response to it, as well as other missteps, led to the ouster of Gregg Steinhafel, chairman, president and chief executive officer. Neiman Marcus also suffered a smaller attack last year and The TJX Cos. Inc. was hit in years past.
EBay said: “After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.”
Although investors took the attack in stride — eBay’s stock price dipped just 8 cents to $51.88 after the theft was made public — and no payment information appears to have been compromised, the company might have to do some more hand-holding with its users.
Kit Yarrow, consumer psychologist at Golden Gate University, who has consulted for Silicon Valley companies, was critical of eBay’s handling of the attack, which took place between late February and early March and was discovered this month.
“There have been breaches all over the place and in that way, I think consumers are perhaps getting a little thicker skinned about the possibility that their information is going to be hacked and stolen,” Yarrow said. “On the other hand, every other establishment has just been really apologetic, very active in finding ways to protect the consumer the best they can.”
Companies have to work harder than ever to keep their customers. And Yarrow noted that when they’re let down, “consumers look for alternatives” and are finding plenty of places to take their business.
Retailers and brands are well aware of the risks to their reputations and are starting to mobilize against hackers, who see the large e-commerce players as juicy targets with treasure troves of consumer data.
This month, the Retail Industry Leaders Association, along with several major U.S. retailers and brands, launched the Retail Cyber Intelligence Sharing Center, the centerpiece of which is a Retail Information Sharing and Analysis Center.
Through the center, retailers will share cyber-threat information among themselves and, through analysts, with public and private stakeholders. The formation of the center follows pressure from Congress for retailers to improve their notification and tracking procedures regarding such cyber attacks. Executives from Target and Neiman’s were grilled by congressional committees earlier this year about their respective attacks — and criticized by congressmen for failing to notify consumers faster, and for not having better protections in place.
Target on Wednesday revealed it still is suffering from the aftermath of its attack, with first-quarter profits continuing to be impacted. It said it could not say now much the breach might cost it in the future.