The Lesson of eBay

Rick Dakin, CEO, Co-founder and Chief Security Strategist

After every major cyber breach, security professionals are asked about the lessons we can learn from them. While the technical details of the eBay attack aren’t yet public, we can already learn lessons about from company’s public statements and its communications to its customers (see inset).

The eBay case demonstrates the two biggest problems with cybersecurity today. First, there’s too much focus on payment card security and not enough attention being paid to all the other personal information being shared, swapped and stolen.

EBay claims no payment information was taken and that hackers didn’t make it into the PayPal system, which houses financial information for millions of users. That’s good news for card issuers, but consumers still had lots of their information stolen, including physical and email addresses, phone numbers and birth dates. That’s plenty of information to start a social engineering attack.

For too long, IT security in the retail industry has myopically focused on payment card security via PCI compliance. PCI DSS is just a baseline. It’s a great place to start when building a security program, but a lousy place to stop.

Which brings up the second major problem with our current security situation. Companies just aren’t doing enough. The response of our business leaders is not commensurate with the escalating threat.

For example, EBay says passwords were encrypted (see letter to right), but other information wasn’t. That technology is readily available, and  eBay could have encrypted more data than they did.

Right now, the technology industry is focused on speed. They’re operating like car companies 50 years ago, building fast, powerful products that are as fun to use as a 1969 Corvette. The problem for consumers is that those products are also about as safe as a 1969 Corvette. It’s time to start thinking about seatbelts, airbags and anti-lock brakes.

Coalfire consultants are experts in compliance. We conduct more than 1,000 audits and assessments of systems containing sensitive data each year. We know and can explain all the minimum steps needed to not be negligent. But shouldn't we all be operating on a higher plane?

Our forward-thinking customers know that baseline compliance testing is a critical part of the program, but they also do additional monitoring, analysis and penetration testing.

The truth is that every company, every industry is different. An acceptable level of security investment in one place won’t be remotely sufficient in another. The biggest question for company executives facing material risk from a breach: Are we doing enough? (Let alone “everything” as eBay claims.)

The answer in most cases? Probably not.

Learn more about Coalfire’s services today.

Rick Dakin


Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS