By Jim Finkle and Karen Freifeld
BOSTON/NEW YORK May 22 EBay Inc came
under pressure on Thursday over a massive hacking of customer
data as three U.S. states began investigating the e-commerce
company's security practices.
Connecticut, Florida and Illinois said they are jointly
investigating the matter. New York Attorney General Eric
Schneiderman requested eBay provide free credit monitoring for
everyone affected.
Details about what happened are still unclear because eBay
has provided few details about the attack. It is also unclear
what legal authority states have over eBay's handling of the
matter.
The states' quick move shows that authorities are serious
about holding companies accountable for securing data following
high-profile breaches at other companies, including retailers
Target Corp, Neiman Marcus and Michaels and credit
monitoring bureau Experian Plc.
Congress and the Federal Trade Commission are investigating
the Target breach, which resulted in the firing of the company's
chief executive and its chief information officer.
"There is definitely a climate shift," said Jamie Court,
president of the advocacy group Consumer Watchdog. "The
departure of the Target CEO over the problem signals inside the
board room and in the halls of government that these are
betrayals of customers and that they won't be tolerated."
EBay shares fell 0.7 on Nasdaq, compared with a 0.6 increase
in the Nasdaq Composite Index.
The investigation by the states will focus on eBay's
measures for securing data, circumstances that led to the breach
and the company's response, said Jaclyn Falkowski, a spokeswoman
for Connecticut Attorney General George Jepsen.
EBay spokeswoman Amanda Miller declined to comment on the
states' actions, but said the company was working with
authorities around the globe.
"We have relationships with and proactively contacted a
number of state, federal and international regulators and law
enforcement agencies," she said. "We are fully cooperating with
them on all aspects of this incident."
COMPLAINTS
Some customers complained on eBay Community forums that they
had not received much information about the breach from eBay and
have yet to get notifications by email, which the company has
promised to do.
"This is all over the news - Nothing from EBay," sfbay111
said in one post on an eBay forum.
Several security experts said the best practices would be to
have a message pop up when users log in, telling them about the
breach and forcing password changes.
As of Thursday afternoon, eBay did not have information on
the attack visible on its market home page, www.ebay.com.
"That's really poor incident response," said David Kennedy,
a cyber forensics expert who is CEO of TrustedSEC LLC. "EBay
should be held to a higher standard."
Kathryn Higa, a Honolulu-based entrepreneur and longtime
eBay user, said she was "disappointed" with eBay's response to
the breach.
She would like the company to post notices on its
marketplace, www.ebay.com. They are currently on its corporate
site, www.ebayinc.com.
"They have not exercised all the vehicles available to them
to protect their customers," she told Reuters via telephone.
The company addressed delays in notification in a Tweet on
Thursday afternoon: "Just to let everyone know, it will take
some time for every eBay user to get our reset email. You can
still go to eBay to change password."
INVESTIGATION
A spokesman for the FBI's San Francisco office said multiple
agents were working on the case, but declined to comment on the
likelihood of apprehending the culprits.
Even though the criminals have yet to surface, that has not
prevented others from trying to profit from their work.
Someone posted a batch of emails, scrambled passwords, phone
numbers and addresses of more than 12,000 people on the
Internet, saying it was a sample of data stolen from eBay and
offering to sell the full batch for 1.453 bitcoin, or a little
more than $750.
EBay's Miller said the information was not authentic.
Reuters spoke to six people whose phone numbers were
included in that batch. While only four said they had eBay
accounts, all of them said the data was correct, which suggests
they may have been victims of another data breach.
