eBay Faces Breach Class Action SuitAlleges Inadequate Security Protections for Customer Info
See Also: The Power and Scale of XDR
The lawsuit contends that the eBay breach was the result of the company's "inadequate security" for protecting identity information of its millions of customers.
"eBay was aware of the value of the personal information it held, and the threat to the security of that information long before the 2014 security breach," the lawsuit says, citing eBay's first quarter 2014 SEC filing, where the company acknowledged that security breaches were a constant threat.
"eBay collected personal information it knew was highly valuable to thieves, and took inadequate steps to protect that information, in breach of its obligations and the laws of 47 states and the United States," the lawsuit says. "The information was stolen, and eBay waited an unreasonably long time to either detect or report the theft to its customers. The failure damaged each customer as each will, at a minimum, incur significant identity protection costs and concerns."
The lawsuit asserts that e-Bay violated state privacy laws, the Gramm-Leach-Bliley Act and the Federal Stored Communications Act, which is designed to protect the privacy of users of electronically transmitted information. It also alleges a violation of Louisiana R.S. 51:3072, which states that "expeditious notification of possible misuse of a person's personal information is imperative."
The suit doesn't specify instances of fraud or identity theft, but says class members "must be vigilant for many years in checking for fraud in their name, and be prepared to deal with the steep costs associated with identity fraud." It seeks compensatory damages, consequential damages, injunctive relief and costs of the suit, including attorneys' fees.
eBay did not immediately respond to a request for comment on the lawsuit.
The breach, which eBay revealed in May, occurred between late February and early March, and originated after a small number of employee log-in credentials were compromised (see: eBay Sees Revenue Decline Due to Breach). That allowed cyber-attackers to gain access to eBay's corporate network.
Compromised information included encrypted passwords, customer names, e-mail addresses, mailing addresses, phone numbers and dates of birth, according to the company. The exposed database did not contain financial information, eBay says. The company urged 145 million customers to reset their passwords.
As a result of the breach, officials say they lowered eBay's annual revenue target by $200 million. The cyberattack, along with changes in Google's search engine optimization protocols, had an adverse impact on eBay's sales, CEO John Donahoe said in a July 16 call with security analysts. "We're confident that we'll work through the global password reset and the SEO changes," he says. "It will take longer and cost more."