eBay to face formal investigations over data breach

Attorneys general in three states in the US are looking into the hack, and an official in the UK is considering a formal probe.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
3 min read


eBay will have to answer to government officials over its recent data breach.

The online auction site revealed Wednesday that hackers had penetrated its corporate network and compromised the credentials of its users. As a result, the company has urged all users of the site to change their passwords.

Reacting to the news, the attorneys general of Connecticut, Florida, and Illinois will launch a joint investigation, Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General George Jepsen, told CNET.

"Our office has been in contact with the company, and our inquiry will focus on the measures the company had in place in regards to the security of personal information prior to the incident, the circumstances that led to the breach, how many users were affected, the company's response to the breach and what measures the company is taking to prevent future incidents," Falkowski said.

Matthew Fitzsimmons, a Connecticut assistant attorney general who heads the office's privacy task force, will assist Jepsen with the eBay investigation, according to a statement.

In a request for comment about the joint state investigation, a spokeswoman for eBay sent CNET the following statement:

"We have relationships with and proactively contacted a number of state, federal, and international regulators and law enforcement agencies. We are fully cooperating with them on all aspects of this incident."

Further, UK Information Commissioner Christopher Graham told the media that his office is considering a formal probe of the eBay hack, The Register said Friday. Graham also noted to Sky News that his team had fined Sony £250,000 (currently $421,000) for its PlayStation Network data breach in 2011.

"eBay is, on the face of it, a very serious breach," Graham said. "The message for business is you've got to be better at security and you've got to be better with our personal data."

But an official probe on the part of the UK may not launch right away. Graham told BBC Radio that his office would first have to work with data protection authorities in Luxembourg, where eBay's European headquarters are located, according to the BBC.

There are "millions of UK citizens affected by this, and we've been clear that we're monitoring it, but by taking the wrong action under the law now we risk invalidating any investigation." a spokesman for the Information Commissioner's Office told the BBC.

New York Attorney General Eric Schneiderman said he wants eBay to provide access to free credit monitoring so users can check their credit records.

"The news that eBay has discovered a security breach involving customer data is deeply concerning," Schneiderman said on his website. "New Yorkers and eBay customers across the country trust that retailers will protect their personal information when they shop online. Our office has asked and fully expects eBay to provide free credit monitoring services to customers impacted by this breach."

The eBay database containing customer names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth was compromised in late February and early March. The company reportedly only recently became aware of the hack.

eBay has been criticized for not directly informing users of the breach. But in a tweet posted on Thursday, the company said that an email is headed for each user.

"Just to let everyone know, it will take some time for every eBay user to get our reset email. You can still go to eBay to change password."