The recent compromise and subsequent theft of personal information from eBay has reinforced one aspect of any mature information security approach – adequate application of defence in depth.
The fact that eBay has been compromised in one respect is not particularly unique. For most organisations with fewer resources and a smaller budget than eBay, it is almost expected to be compromised to some degree eventually. What is compromised and whether you know about it are variables you have more control over.
EBay, and its payment house, PayPal, secured financial information well. What eBay, and all organisations with sensitive information, should have done is apply the security approach of protecting financial data to other sensitive data. The tools and techniques were available to eBay, they just chose to store personal data in the clear, whilst securing financial data.
The personal data that was compromised included:
- Date of birth
- Telephone number
- Email address
Whilst these pieces of information are hardly equivalent to your credit card number, expiry and CVV, they can easily be used by malicious actors. Recall the questions you are asked by your bank or credit card issuer to confirm your identity over the phone before you can enquire about, or make changes to, account information.
Recently UK TV presenter, Jeremy Clarkson, dismissed the security compromise of simply a bank account number by publishing his in the Sun newspaper. He discovered the details were used to create a £500 direct debit to a charity and admitted he was wrong to dismiss the possible impact. It is easy to imagine the increased exposure if a malicious party possesses all of the additional information contained in the eBay database.
Taking our assumption that an organisation is likely to be compromised, we can limit the exposure by applying defence in depth to increase the difficulty in exfiltrating useful data. Simply encrypting the database using strong cryptography and maintaining an adequate key management program would have thwarted the compromise, by limiting it to an intrusion with little tangible impact.