consumer-safeguards

The security breach that compromised the names, physical addresses, and passwords of up to 145 million eBay users in February and March has attracted the attention of lawmakers in Florida, Connecticut, and Illinois, who plan to investigate the company’s security practices. The United Kingdom’s Information Commissioner’s Office is also said to be considering an investigation into eBay’s security, and New York Attorney General Eric Schneiderman has asked the company to offer free credit monitoring to those affected by the breach.

The investigations follow concerns about why eBay didn’t notice the attack until months after it occurred or, if it was discovered earlier, why it waited to tell consumers about the breach. It also comes hot on the heels of other breaches at Target, Snapchat, and AOL — not to mention the Heartbleed bug that compromised the security of two-thirds of the Internet — so it seems that this breach is going to be on everyone’s mind for some time to come.

Reactions from around the Web

William Rubinstein, the commissioner of Connecticut’s department of consumer protection, explains the problem of using the same password across multiple websites:

Anyone who had been using their eBay password for other internet or email accounts should immediately assign different passwords for those accounts to protect them from being accessed through this breach. While it’s not recommended, many people use the same password over and over. Recent massive data breaches underline the importance of personal password management — keep your passwords unique for each account, simple for you and no one else to remember, and regularly updated.

Florida’s attorney general, Pam Bondi, released the following statement:

The magnitude of the reported eBay data breach could be of historic proportions, and my office is part of a group of other attorneys general in the country investigating the matter. We must do everything in our power to protect consumers’ personal information, which is exactly why I worked with the Florida Legislature on the Florida Information Protection Act.

New York Attorney General Eric Schneiderman on his request for eBay to provide free credit monitoring:

The news that eBay has discovered a security breach involving customer data is deeply concerning. New Yorkers and eBay customers across the country trust that retailers will protect their personal information when they shop online. Our office has asked and fully expects eBay to provide free credit monitoring services to customers impacted by this breach.

Pando weighs in

On the difficulty of changing many passwords at once:

While there are various tools that can generate strong passwords and keep them in sync across multiple platforms, there isn’t an “Oh shit!” button that can automatically reset all of those passwords when something like this happens. It’s up to you to remember all of the websites you’ve visited, the passwords you used for those sites, and to create new passwords that anyone knowing your old ones won’t be able to guess. That’s not necessarily a bad thing: having to manually change the passwords could help protect against any potential flaws hiding in the generators used by tools like 1Password or LastPass.

On the dangers of biometric security, which introduces its own sets of problems:

However, when the success of the iPhone inevitably leads to a future in which lots of different technologies in your life are locked and unlocked by a finite number of biometrics, then far more than your phone is at risk. The scale of such biometric security systems would mean your whole life could be held hostage because the locks and keys have been fundamentally changed.

Think about it in practical terms. Whereas in today’s password-based system you can protect yourself after a security breach with a simple password change, in tomorrow’s biometric-based system, you have far fewer – if any – ways to protect yourself after a security breach. That’s because you cannot so easily change your fingers, your eyes or your face. They are basically permanent. Yes, it’s true – security-wise, those biological characteristics may (and I stress “may”) be less vulnerable to a hack than a password. But if and when they are hacked in a society reorganized around biometric security systems, those systems allow for far less damage control than does a password-based system. In effect, your physical identity is stolen – and you can’t get it back.

On the increasing rate at which large-scale attacks like this are occurring:

Given the frequency with which these breaches are occurring, it seems that having to change passwords for at least one website every few weeks is going to become the new normal. In the meantime, hackers are able to get away with personal information that isn’t quite so easily changed, such as someone’s name and physical address. Having to change some passwords isn’t fun — having to live with the fact that someone has all of this other information is even worse.

[illustration by Hallie Bateman for Pando]