Voltage Security comment on eBay cyber attack
(M2 PressWIRE Via Acquire Media NewsEdge) Following today's breaking news that eBay are to ask all their customers to change passwords due to a cyber attack, Brendan Rizzo, technical director EMEA at encryption specialists, Voltage Security, said: "It is unlikely the attackers would be able to use the stolen passwords, since eBay, abiding by good security practices, should have hashed and salted its passwords. If this was performed correctly, then users should not be concerned about their passwords being compromised. The more worrying aspect of this disclosure is that it appears that the other personally identifiable information was left completely unprotected. This information would give the attackers almost all of the information they need to undertake fraudulent activity on the a compromised user's behalf.
This breach highlights a need for companies to place tighter controls on how user credentials are stored and protected. If data is left unprotected, it's not a matter of "if" it will be compromised - it's a matter of "when". While there is no doubt that eBay has top of the line security in place to guard against attacks, even the best security systems in the world cannot keep attackers away from sensitive data in all circumstances. The length of time it took eBay to discover this attack is evidence that attackers can still find a way to slip through a company's defenses undetected. When a company is storing sensitive information about their customers, the risk is to the data itself. Therefore, a company needs to assume that all other security measures may fail, and the data itself must be a primary focus for protection - usually via encryption. It is critical to note that this protection needs to include all potentially sensitive information and not just financial related data. If eBay had employed format-preserving encryption to protect the data itself, the attackers would have ended up with unusable encrypted data instead of the current outcome where users' personal information has now been exposed to an untold number cyber criminals."
For more information, or to speak to Brendan, do get in touch.
Lara - Eskenzi PR
+44 (0)207 183 2834
(c) 2014 M2 COMMUNICATIONS
[ InfoTech Spotlight's Homepage ]