eBay Cyber Attack Investigated By State AGs

At least 10 states, led by Connecticut, Illinois and Florida, are investigating a large-scale data breach at eBay that was revealed in May, according to according to EcommerceBytes.

The states’ Attorneys General are working together to investigate the specific circumstances of the breach and the general safeguards eBay has in place to protect against intrusions, Connecticut Assistant Attorney General Matt Fitzsimmons said, adding that the investigation is still in its early stages.

But Fitzsimmons indicated that the investigation so far has supported eBay’s statements that users’ financial information wasn’t involved in the breach. “From what we know now, it’s not the type of information that would likely lead us to request credit monitoring,” Fitzsimmons said. He also said eBay was being “cooperative.”

On May 21, eBay announced that cyberthieves had acquired log-in credentials for “a small number” of employees, and used them to access a database that contained eBay user information including names, email and physical addresses, phone numbers, dates of birth and encrypted passwords, but not financial information. Ebay did not say how many users were actually affected, but it notified all 145 million active buyers and required them to change their passwords. The company said the breach occurred in late February and early March, and eBay detected it “earlier in May.”

In July, a Louisiana eBay user, Collin Green, sued eBay for failing to protect users’ information. The consumer privacy class-action lawsuit alleged that eBay made a “profit-driven decision” to delay announcing the breach, which it said was “the result of eBay’s inadequate security in regard to protecting identity information of its millions of customers.”