The ICO and three US states are investigating eBay over its handling of a data breach that exposed the details of 145 million users
The UK Information Commissioner’s Office (ICO) has said it is coordinating with European authorities to launch a probe into eBay’s exposure of the personal details of millions of users in an attack disclosed last week.
eBay is also being investigated by the US states of Connecticut, Florida and Illinois over the attack, in which the perpetrators used the credentials of three EBay employees to access the email addresses and encrypted passwords of all users of the site, a number estimated at 145 million.
Also affected were phone numbers, dates of birth and postal addresses, but no financial data, eBay said. The passwords were encrypted, but the other data was not, according to the company. eBay’s PayPal unit was not affected by the breach.
The ICO told BBC Radio 5 on Friday that the body is obliged to coordinate any investigation with data protection authorities in Luxembourg, the location of EBay’s European headquarters. The ICO said its investigation was not yet underway.
eBay told Reuters on Friday that the company did not initially believe any customer data had been affected in the incident, which is thought to have occurred between late February and early March, and was discovered in early May.
“For a very long period of time we did not believe that there was any eBay customer data compromised,” said Devin Wenig, head of global marketplaces, in a Reuters report. The remarks were the first public comments by a senior eBay executive on the issue. He said that when the company realised customer data was involved, it moved “swiftly to disclose” the breach.
Wenig said that the issue affected “anyone who has ever touched eBay”, and that as a result notifying the users involved was a slow task. “We’re going to send all of them an email, but sending that number all at once is not operationally possible,” he said.
Customers have complained about eBay’s slow response and about difficulties accessing the site’s password reset page. eBay said on Friday that the password reset function was working normally. The company has rolled out a feature obliging all users to reset their password the next time they log into the site.
In March Europol and its partners claimed success in taking down a crew of criminals who were selling fake electronic items over eBay and as well as Polish online platforms.
In January the company faced pressure by investor Carl Icahn to spin off its PayPal unit.
Are you a security pro? Try our quiz!