More information is required to truly reveal the security measures that were in place, and being transparent with the public during the breach response is important, said Kenneth Leeser, president of Newton, Mass.-based Kaliber Data Security. Leeser, a risk management specialist, said organizations that attempt to cover up lapses often suffer more significant brand reputation damage than those that come out with all of the facts associated with a breach.
"People want sunshine and insist that the breached organization sheds light with clear and concise information about the matter," Leeser said. "People accept the bad things that happen, but it's how you respond that ultimately determines public opinion in the marketplace."
The breach and a string of similar user account breaches at e-commerce businesses and social networks in 2013 have shed light on how data is protected and accessed, say solution providers. E-commerce startup Living Social revealed a data security breach of its user accounts last year, forcing the firm to respond by resetting the passwords of at least 50 million of its users after it found malware on its internal servers.
Online data storage service Evernote was the victim of a breach impacting some 50 million users. Twitter, Tumblr and Pinterest users also were impacted by a data security breach at third-party customer service provider Zendesk. And millions of usernames and passwords were exposed last year in a breach at social networking site LinkedIn, which didn't adequately protect the user passwords.
Leeser said organizations are increasingly putting mechanisms in place to proactively monitor system logs for employee login attempts that could signal suspicious activity.
Tools are available to automate the process of monitoring system access and addressing or challenging users that show signs of suspicious activity, Leeser said. The software often helps IT teams manage privileges and eliminate inactive employee accounts or temporary access granted to contractors or other third-party partners to systems, he said.
"Monitoring system access is growing increasingly complex, especially with cloud implementations, the use of third-party services and the Bring-Your-Own-Device phenomenon," Leeser said.
When IT implements measures to enforce employee or customer password restrictions, it is often met with pushback from system users or account holders, said Eric Peters, a sales executive at Seattle-based solution provider Trebron Company Inc. There's often a fear, especially among small and midsize businesses, that policy enforcement with authentication and access control will frustrate users and result in lost business or gnarled user productivity, Peters said.
"Talking to customers about security and preaching best practices to them is one thing, but successfully implementing them with the least amount of pain is another," Peters said. "It's often a balancing act for IT directors."
In addition to passwords, the database exposed in the breach contained physical and email addresses, user date of birth, phone numbers and other information, eBay said. The data is valuable to spammers and could make eBay account holders more susceptible to falling for an online scam and phishing attacks, said Cameron Camp, a security researcher at the U.S. arm of Bratislava, Slovakia-based antivirus vendor ESET. Camp said scammers also can send out email messages spoofing eBay in an attempt to get account credential information from users.
Ebay and other businesses often weigh implementing security controls against business interests, a calculation that is based on a variety of factors, including the company's risk tolerance, Camp said. Business interests often trump security, he said.
"The extent of security measures businesses put in place to protect systems containing sensitive data depends on the context of the information you are protecting," Camp said. "There has to be system segregation and context behind the data you are interacting with to put practical security measures in place."
PUBLISHED MAY 22, 2014