Why do big companies keep losing data?

Penetration Testing Experts


So we hear in the press that eBay has now been subject to a data breach, and potentially all eBay's users have had their personal details and password hashes exposed.  This is a LOT of users.

On one hand you might argue that a lot of “personal” data is already public, after all in the UK you can purchase a subscription to the electoral roll or a service like www.192.com.  You can also buy data in bulk from many commercial mailing companies and as for email addresses, there are comprehensive lists available also for a price.

On the other hand you might think that a company like eBay should know better, and have appropriate controls in place to prevent large scale data breaches from happening.  There will be fall out and Luxembourgish data protection laws have not doubt been broken.

For the general public, when a large, trusted website gets hacked, the risk of successful phishing attacks and identify theft increases.  In my opinion it's bad news for everyone, and would recommend you keep an eye open for:

Password re-use attacks

Is the username/password combination you use on eBay the same to any other online service?  If so, it's likely that if hackers have this data, they will be using it to see if they can gain access to your PayPal, Hotmail, Gmail, Facebook, LinkedIn or online banking account.

Advice?  Spend some time reviewing what other online accounts you have, and make sure they all have a different password.  Sounds easier than it is, as so many providers seem to ask you to setup a username/password in order to buy something, or access their services.  You might have lost your registration details or not recollect setting up accounts.  Personally I feel there should be a law that forces providers to disable user accounts that haven't been accessed for the past 6 months, but as it stands companies can keep your personal data for “marketing” or “customer records” purposes indefinitely under UK law.

Identity theft

Often you will find out too late you have been subject to identity theft, once criminals have tried to take a loan out in your name and ruined your credit record.  The impact is huge, yet the regular cost of identifying fraud is low.  Services are available for a few pounds a month that can help alert you if something's up, or £15 for a premium service.  For a HNWI this is nothing.  Do it.

End point security

It goes without saying that many usernames/passwords are stolen in transit by visiting malicious websites or being phished.  Many perfectly viable solutions exist that can identify phishing links and also locate and eliminate malware.  Make sure you use it.

What should companies do?

You might think from the above that only individuals will be affected.  But guess what?  Users' eBay passwords are probably the same as work email passwords, especially if you haven't set a password expiry date.  This, added to hackers having the users' personal information could mean hackers gaining access to work email.  If your helpdesk's password reset mechanism involves you using your home address or birthday to reset your password, then again your exposed.

Companies should certainly not just sit back and think it's not their problem, and be encouraged to help their staff deal with these sorts of cyber issues.  An employee subject to an identify theft attack is not a motivated or efficient employee, and may even have to take time out to sort the problem out.  A short, but effective security awareness campaign will not only help employees whom might be at risk, it will also help the employer's image as being someone who cares.

The worst you could do is do nothing

Action is needed, whomever and whereever you are.  With eBay being almost apathetic about the problem and not mandating a password reset (it's optional), then eBay users at least are at risk, and users simply might not be aware as to the severity of the problem.

All our private data is public

If you've ever used the internet, then your data is at risk.  It just depends how much personal data you've ever entered into a web page on the internet, and how careful you are in monitoring each of these sites and selecting different passwords for each.  Buy good identify theft protection.  Buy good anti-malware solutions.  Buy good credit monitoring services.  It's the only way you're going to prevent the inevitable.  With FOUR MILLION (Action Fraud 2014 report) people in the UK alone already affected by identify theft (that's approximately 1 in 20), then do you really want to run the risk and not have suitable protection in place?


Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top