State AGs Investigate eBay BreachNew York AG Asks Company to Provide Free Credit Monitoring
The attorneys general in Florida, Connecticut and Illinois have announced they are investigating the recent data breach at eBay, which potentially exposed the personal information of 145 million customers.
See Also: Rethinking Endpoint Security
Meanwhile, New York Attorney General Eric Schneiderman says his office has asked eBay to provide free credit monitoring services to all customers affected by the breach. And the attorneys general in South Dakota and Iowa have issued statements alerting consumers to the incident.
"The news that eBay has discovered a security breach involving customer data is deeply concerning," Schneiderman says. "New Yorkers and eBay customers across the country trust that retailers will protect their personal information when they shop online."
The eBay attack could be of "historic proportions," says Florida Attorney General Pam Bondi. "My office is part of a group of other attorneys general in the country investigating the matter," she says. "We must do everything in our power to protect consumers' personal information."
Connecticut Attorney General George Jepsen says his office is looking into the circumstances surrounding the breach as well as the steps eBay is taking to prevent future incidents. "However, the most important step for consumers to take right now is to change their password and to choose a strong, unique password that is not easily guessed."
Meanwhile, the UK Information Commissioner's Office has also confirmed that it's looking into the situation, "with a view to ensuring a full investigation takes place. On the face of it, this is a very serious breach."
Information Commissioner Christopher Graham says the ICO's response will be complicated because eBay is a multinational Internet company. "They're an American company, so the Federal Trade Commission will look into this," he says in a May 23 blog. "They've got a European headquarters in Luxembourg, so the Luxembourg data protection authority will lead on an investigation in Europe. And there's millions of UK citizens affected, so clearly we will be involved where we can."
Advice to Consumers
Consumers should not only change their passwords for eBay, but also for other online accounts that use the same password, notes Iowa Attorney General Tom Miller. "It's likely that many consumers use the same password for several online accounts, including websites that allow access to money and credit cards," he says.
Miller also urges consumers to be on the lookout for scammers attempting to take advantage of the situation through phishing e-mails purporting to come from eBay.
South Dakota Attorney General Marty Jackley advises consumers to review their eBay account information for any suspicious activity. "It is unclear at this time how many of the ... accounts were affected, but consumers should be proactive and not wait for confirmation," he says.
eBay has not acknowledged how many individuals had their information exposed in the breach, but the company has more than 145 million customers. So far, the company says it has found no evidence of unauthorized activity on eBay accounts.
The attack, which occurred between late February and early March, originated after a small number of employee log-in credentials were compromised, which enabled cyber-attackers to gain access to an eBay database (see: eBay Breach: 145 Million Users Notified).
Compromised information includes encrypted passwords, customer names, e-mail addresses, mailing addresses, phone numbers and dates of birth, eBay says. The database that was exposed in the breach did not contain financial information, the company says.
eBay also says it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted, the company says.