The massive data breach that saw eBay instruct 200m users to change their passwords presents salutary lessons for online retailers.

The massive data breach that saw eBay instruct 200m users to change their passwords presents salutary lessons for online retailers.

“Some news reports have claimed that this breach was known to eBay as long ago as March”

Rob Machin, DWF

As they harvest more and more data about their customers in the pursuit of increasingly accurate and sophisticated targeting of advertising and special offers, and with potentially hugely significant changes to European Union regulations looming large on the horizon, data protection is a responsibility that online retailers can ill afford to shirk.

While the precise consequences will depend at least in part on the location of a business’s operations within the EU, losing password data in the way that eBay has done this week risks breach of the UK’s Data Protection Act 1998, and the data protection regulations in place in the other EU nations in which a retailer operates.

European data protection laws require retailers to take appropriate technological and organisational measures to safeguard the customer data that they hold. These measures range from installing and maintaining electronic security tools such as firewalls and data encryption to ensuring that the business follows best practice in all its data collection, storage, and management processes and controls.

If a data breach occurs in spite of a retailer taking such appropriate measures in its defence, it is unlikely to lead to legal reprisals or other sanctions from privacy regulators such as the Information Commissioner’s Office in the UK (ICO). However, there is not just the legal cost to consider – the ramifications of a major data breach for a retailer’s reputation in the industry and among consumers can be severe. A recent report by PwC and the Department for Business, Innovation, and Skills put the average financial cost of a major data breach at a large organisation at up to £1.1 million. An organisation of eBay’s size and scope can expect their bill to run up to many multiples of that figure. Retailers found to be in breach of PCI-DSS regulations governing the management of financial data will find themselves facing the wrath of the credit card industry.

Perhaps more worryingly, some news reports have claimed that this breach was known to eBay as long ago as March – almost two months is a long time to leave customers potentially vulnerable to the whims of a hacker (or whoever their data is passed on to). At present, UK retailers are under no obligation to disclose data breaches, but this is likely to change soon: a proposed amendment to EU data protection regulations will, if ratified, compel organisations to report breaches as quickly as 24 hours after their discovery. This may, however, be counterproductive, giving businesses insufficient time to fully understand the cause and nature of a breach and have in place a solution ready to announce to customers.

Retailers have a lot of valuable data to lose. While in this instance, only passwords and non-financial data were lost, retailers hold transactional and behavioural data on customers that can be enormously valuable to hackers looking to use it for phishing attacks or other fraudulent activity, or even just to sell on ‘as is’.

Preventative measures against data breaches are, however, generally fairly well known. Good architecture and web design is a pre-requisite. It is also important to run regular network penetration testing to gauge the reliability of firewalls and other technological security features and ensure that operating systems and software programmes are up to date with the latest security patches.

There is always the risk of ‘day zero’ issues, though – those which have not been identified previously. The recent ‘heartbleed’ bug is a case in point. Taking prompt action to address such issues once they become common industry knowledge is important to avoid legal complications. Having blogged extensively about this and other well-known vulnerabilities such as Microsoft’s cessation of support for Windows XP, the ICO is likely to take a dim view under its “appropriate measures” criteria towards organisations that have not taken sensible steps to address such well-known issues and suffer a breach.

It should be noted, though, that the obligation to take appropriate security measures does not require organisations to spend beyond their means. The current law allows leeway for what it is realistic for a business to implement; so small online retailers need not worry about having to throw bucketfuls of cash at the latest bells and whistles.

Ultimately, however, it pays to note that the vast majority of ordinary data breaches occur not because of a failure of technology, but because of internal failings – a rogue employee stealing data, or human error creeping into processes. Keep abreast of who has access to what data, and ensure that all relevant staff are fully trained in information security and data management best practice. And, perhaps, consider how much of the data you have you actually need – after all, the best way not to lose data is never to have collected it in the first place.

  • Rob Machin, DWF