Internet hackers are so successful at penetrating company IT systems these days that, for the most part, breaches go without comment. But few have been quite as startling as the one declared this week by eBay, the online auction website.
The company announced that in a breach of its database between late February and early March, hackers obtained several of its employees’ login credentials. This gave the hackers access to the names, addresses, telephone numbers, email addresses and passwords of its 128m active users.
The company said it had only become aware of the intrusion two weeks ago. As a result, it is now asking its active users to reset their passwords – aiming to rectify what is probably one of the biggest data breaches in the history of the internet.
Following this admission, eBay’s worldwide customers would be justified in asking the company some searching questions. Why did it take eBay at least two months to discover that the cyber attack had taken place? And having discovered the intrusion, why did another two weeks elapse before its customers were informed?
What is worrying is the way eBay seems to have tried to play down this event. It emphasised that the hackers only obtained a “small number” of employee login credentials – but the theft of just one set of employee login details can compromise a company. It insisted that the group’s PayPal online payment service had not been breached. But the theft of millions of clients’ personal data will have created opportunities for cyber theft from banks and other companies in recent months.
Whatever the specifics of the eBay case, this incident raises broader questions about the vulnerability of the digital economy. After all, if well-established, well-funded internet names are vulnerable to this kind of assault on their databases, this ought to prompt some hard thinking across the global business community.
Two issues are worth highlighting. First, while many companies are aware of the risk of cyber attack, too few are putting in place adequate systems to detect such activity.
A prominent investigation by Verizon, the telecommunications group, into data breaches found that in more than 70 per cent of cases, companies only realise they are under attack after being notified by an outsider, not their own internal systems. This suggests that too many companies are operating on the principle that they might be compromised, not that they definitely will.
A second concern is that too few companies declare publicly that they have been attacked for fear of wounding their reputation and share price. This makes it hard for governments and the private sector to mount a collective response to specific activity by cyber criminals.
True, some companies are willing to be identified to help governments pursue hackers. One indication came this week when the US Department of Justice indictedfive Chinese military officers over the theft of intellectual property from American businesses.
As part of the indictment, the DoJ publicly declared the names of several US companies that had allegedly been targeted by the Chinese. But the willingness of companies to come out in the open is still rare. Last year Mandiant, an internet consultancy, reported that 141 unnamed companies had been hacked in operations by the People’s Liberation Army. Most of these companies are still refusing to declare this publicly.
In the US and Europe business leaders are still failing to concern themselves about the risk of cyber attack. There is no longer any excuse for bosses who mishandle this area of their business. Companies must become far more serious about both preventing and tackling these risks.
Source:
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.
.jpg)
0 comments:
Post a Comment