A week is a long time in security

The former Prime Minister, Harold Wilson, once observed that a week is a long time in politics.  The same is also true in IT security.  A week ago, eBay was a trusted brand with a good security reputation:  after all, it had survived the Heartbleed vulnerability scare that affected so many other globally-popular websites.  Now this reputation has been shattered after it revealed that it was the victim of perhaps the biggest security breach ever, with the details of nearly 150 million users stolen by hackers.

It turns out that the only piece of personal information that eBay encrypted was users’ passwords.  The remaining data – names, email addresses, postal addresses, date of birth and so – was stored in plain text on its servers.  All the attackers had to do was compromise the email of a few eBay employees, and they had access to a diamond mine of data that could be used for phishing, cloning identities and other nefarious purposes.

It seems the company applied the same levels of security to the data it held as you’d expect on the laptop of a small rural auctioneer.  The ramifications of this are likely to be felt by eBay for some time.

What’s more, the past week saw Apple’s reputation for security take a severe blow, when it was announced that the iCloud activation lock (which protects iPhones, iPads and other devices if they are lost or stolen) has a fundamental flaw which can be worked around with a simple downloadable tool.  This means thieves can unlock devices and access data on stolen devices at will – until Apple rolls out a fix.  Pentura MD Steve Smith commented on this issue here:  http://www.scmagazineuk.com/apples-icloud-activation-lock-cracked/article/348295/

What a difference a week can make to a company’s reputation.