Online marketplace eBay has stated that cyber criminals compromised a "small number of employee log-in credentials" in the United States between late February and early March 2014 to gain access to its database.
The eBay US database contained customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth, but no financial or other confidential information, the company said.
The compromise of eBay’s log-in credentials highlights that putting the bulk of a information security budget into combating external threats “no longer works”, said Australian Information Security Association (AISA) spokesperson Lani Refiti.
“Attackers with enough resources and motivation will, at some point, compromise your organisation to some degree. Organisations need to focus on the detect and remediate phase equally,” he told Computerworld Australia.
According to Refiti, network segmentation is a “simple but effective” security control that companies with large amounts of data should use.
“What I'd be interested to see when eBay release further information is whether they did any data/information segmentation such as separating the user database from the password database or used multi-factor authentication internally. In a layered defence model, this makes it harder for the attacker to get all the pieces they need,” he said.
Refiti added that there are no reports, as yet, of Australian eBay users who have been compromised.
“This attack is similar in nature to the one that Target US and Nieman Marcus have suffered; it’s a trend against online retailers. If I was Target Australia or K-Mart, I would be looking at my information security management system very closely,” he said.
Dell Software Australia and New Zealand's managing director, Ian Hodge, agreed with Refiti’s call for “detect and remediate” by companies.
“Data leaks can often originate from employees, through intentional theft, lost or stolen mobile devices or accidental exposure. Poorly managed privileged credentials are increasingly leaving organisations as vulnerable as a hole in a firewall and sensitive information can easily find itself in the wrong hands,” he said in a statement.
Hodge advised IT security managers and CSOs to create a list of how many privileged accounts their company has and who has access to what information.
“This can help identify where your organisation is most vulnerable to internal security breaches. It is incredibly important that these users also have strong passwords that are frequently changed to reduce the threat.”
In addition, Hodge said information security managers should conduct regular reports to identify if privileged passwords have been changed.
“By knowing who has access to what [information] – and ensuring that users are only provided with the lowest level of access required to perform a task – can reduce the threat.”
Two factor authentication
According to ESET security researcher Lysa Myers, the eBay compromise could “have been worse” if financial data had been kept together with passwords and personal customer details.
“However, because the database also included eBay users’ name, email address, physical address, phone number and date of birth, this breach does open up the possibility for other types of scams such as phishing attempts,” she said in a statement.
“eBay users are advised to be on the lookout for suspicious messages, and avoid clicking on links in emails they receive.”
Myers added that eBay customers should make sure their new password is “very strong” and different from the passwords they use for other online accounts.
“If you have not yet started using a password manager, this could be a good time, as they can be very helpful in creating and maintaining strong passwords for each online account you use.”
Turning to eBay, she questioned why a number of employee log-in credentials were successfully hacked.
“This could imply that eBay is not requiring its own employees to use two factor authentication [2FA] in order to access sensitive customer data. Many websites and online services, such as Twitter and Google, offer their users 2FA to bolster the security of their account.”
According to Myers, the introduction of 2FA could “greatly bolster” the security of eBay customer accounts in the future.
Follow Hamish Barwick on Twitter: @HamishBarwick
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.