If you have an EBay account you have by now received an email requesting that you change your password. This is the result of a clandestine information systems breach that occurred more than two months prior.
Ignoring the ethics of failing to notify the affected stakeholders, in this case end-users, the question is how this type of breach could happen to begin with. How did hackers manage to access and obtain personal information that should have been hosted in a production environment?
EBay is a publicly traded institution on a number of exchanges around the world. One of the requirements of being publicly listed on an US index a company must maintain Sarbanes-Oxley compliance. This means that strict security principles, policies and practices are in place to ensure the integrity of a company’s Enterprise Infrastructure. In particular, any infrastructure that could be compromised resulting in an effect to the listed companies traded stock price.
EBay’s obligation towards SOX compliance is what makes this hack seem so astounding. Many news sources have reported that the hackers silently obtained the user credentials of EBay employees leading up to the attack. One can surmise that a number of strategies could have happened to obtain these credentials (phishing, targeted malware, etc.). The hackers then used this information to access and copy production data to an off-site location. EBay reported to the media on May 21 that the above scenario occurred resulting in the data breach. A full two to three months after the breach occurred.
To be SOX compliant no EBay employee should have had unaudited access to production data on any server, ever. The only exception to this policy could occur if during a relevant incident or problem an Enterprise application support team member requested a temporary administrative account credential in order to resolve an issue. Another exception could be to apply an Enterprise software or infrastructure change to the production environment. In both situations, the support team or change facilitators would contact the service operations team and request a temporary password to the production infrastructure; a password that would expire or be reset after the resolution or change is applied.
Clearly EBay has revealed that they do not have such security policies in place; and if they do, they are not enforced. This is a substantial lack of discipline with clearly catastrophic consequences. EBay may now be held accountable to providing all the affected users with free credit reporting for a year. As well they may be fined by US regulators and other governments throughout the world.
It is a fact that systems administrators are aggressively reluctant to give up their administrative credentials. Good security policy however, must maintain that no single individual should have unaudited administrative access to an Enterprise production environment or be in a position that could potentially cause harm to the information systems of a corporation. This policy should be in place regardless of the company being publicly traded or a private institution.
How a corporation such as EBay could make such a substantial failure in security policy is unknown and draws me to conclude that it was simply a lack of discipline. EBay’s disclosure on their Form 10-K (2013 Exhibit 31 & 32 on page 99) suggests that their intention is to be SOX compliant so one can assume they must have some policies in place that SOX auditors have approved. That suggest to me then that EBay’s IT service operations does not enforce security policy as it should.
Of course this is all conjecture on my part as I do not have an inside look at internal incident reports and root cause analysis and as such, I am open to discussion or debate on this issue. It should be noted however, that I’m not the only one drawing such a conclusion as no fewer than three Attorney Generals in various states in the US have opened an investigation. Of course their investigations may focus toward the ethical responsibility of reporting the incident to the public, but I have no doubt that the Securities and Exchange Commissions themselves have a keen interest in how this security breach happened.