The breach occurred between late February and early March, when hackers were able to obtain access to the log-in details of eBay employees, but was only discovered earlier this week. The hack revealed information on eBay customers, including their names, email addresses, phones numbers, dates of birth and encrypted passwords, although no financial data.
Ebay says there has been no fraudulent activity since the attack but is urging customers to change their passwords as a safety precaution. A spokesperson says eBay is in the process of sending out emails to customers although they caution that while the process is “well under way” this will take some time.
It also has information on its UK home page advising people of the attack and asking them to reset their password. There are plans to roll out “other communications and marketing”, although there is no further information yet as to what this might be.
Ebay’s brand has already taken a hit according to YouGov’s BrandIndex. Its buzz score – a measure of the positive and negative things said about a brand – fell by 9.8 points to -0.3 over the past week, a statistically significant decline.
That sharp fall caused eBay to drop down a list of 42 online brands from fourth position to 28. Metrics including impression, value and reputation have also fallen.
The retailer is also facing regulatory pressure. Data commissioners in the US have already launched investigations while in the UK the Information Commissioner’s Office is considering launching a formal investigation, although it must first decide what the breach was and whether it falls into its jurisdiction.
Data protection law specialists are warning that eBay could face compensation claims from sellers if it is found that the hackers have conducted fake transactions on the site or a fine if it is found to have breached the Data Protection Act. The ICO previously fined Sony £250,000 for a data breach on its Playstation network in 2011.
Kathryn Wynn, a lawyer at Pinsent Masons, says: “The cyber attack on eBay poses risks of ID theft against its users. If criminals have access to the compromised data they may be able to use existing accounts to carry out fake transactions, pocketing the money they receive with no intention of sending any goods to the buyer. Users may find that they are forced into refunding buyers as a result of the fraud perpetuated using their account details. In those circumstances, eBay may find itself subject to claims for compensation from UK users under the Data Protection Act.”