EBay could face compensation claims following cyber attack, warns expert

Out-Law News | 22 May 2014 | 4:14 pm | 3 min. read

Online marketplace eBay may face compensations claims from some of its users if their IT security systems are shown to be deficient in light of a major cyber attack that has hit the company, an expert has said.

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that criminals may be able to impersonate sellers on eBay and conduct fake transactions following the attack. EBay may be exposed to compensation claims from victims of ID theft where those individuals are forced to refund buyers for goods they paid for but did not receive from the bogus sellers, she said.

Wynn was commenting after eBay announced that a database containing users' information had been compromised during a hacking attack earlier this year. The company said that the names, encrypted passwords, email addresses, postal addresses, phone numbers and dates of birth of its customers had been compromised in the attack.

The hackers had managed to access the database after hacking into some eBay employee's accounts and accessing the company's corporate network, it said. The attack took place between late February and early March. The company has said that its tests to date have shown that there has been "no unauthorised activity for eBay users, and no evidence of any unauthorised access to financial or credit card information, which is stored separately in encrypted formats". However, it advised its users to change their passwords for the site.

"The cyber attack on eBay poses risks of ID theft against its users," Wynn said. "If criminals have access to the compromised data they may be able to use existing accounts to carry out fake transactions, pocketing the money they receive with no intention of sending any goods to the buyer. Users may find that they are forced into refunding buyers as a result of the fraud perpetuated using their account details. In those circumstances, eBay may find itself subject to claims for compensation from UK users under the Data Protection Act."

Under section 13 of the Data Protection Act (DPA) a person is generally entitled to compensation if they suffer damage as a result of violations of a section of the Act by organisations that hold their personal data. Individuals are also generally entitled to compensation from those data controllers if they suffer distress that causes damage.

Organisations do have a defence to this right to compensation if they can "prove that [they] had taken such care as in all the circumstances was reasonably required to comply with the requirement [that it is alleged to have breached]."

Wynn said that eBay would be able to defend itself against compensation claims from UK users if it could show that, despite falling victim to a cyber attack, the data security measures it had put in place were appropriate.

"The important question that any court would consider is whether a company experiencing a data breach had done enough to prevent that attack," Wynn said. "Factors such as whether the attack was a sophisticated one or whether it resulted because of an inherent, obvious vulnerability in either the technical or organisational measures the business put in place to protect against unauthorised accessing of personal data will be important in this context."

The Information Commissioner's Office (ICO) recently issued IT security guidance which sets out the measures organisations can deploy to secure the personal data they are responsible for. It highlighted the importance of 'salting' and 'hashing' passwords organisations store to make it harder for hackers to decrypt in the event that data is compromised.

"The Data Protection Act requires that organisations put in place 'appropriate' technical and organisational data security measures," Wynn said. "What's 'appropriate' for a large multinational will differ from the measures smaller companies will need to deploy. In issuing Sony with a fine of £250,000 over a major data breach the company experienced following a cyber attack on its PlayStation Network, the ICO has shown that it is willing to take action against major organisations it perceives to have fallen below the standards required for data security."

Wynn also said there are wider consequences of data breaches that businesses, and consumers, can help protect against.

"Most of the focus of cyber attacks is in obtaining financial information, such as payment card data, so as to carry out fraud," Wynn said. "However, because many consumers use the same password across different services there is a risk that a stolen password from one database can be used to access individuals' accounts elsewhere. With the increase in many public services going digital, even more sensitive information - health data - is at risk of being exposed."

"Hackers able to access piece together health data with other information they have compromised may be able to carry out more nuanced, less detectable, criminal activity than merely payment card fraud. For example, they may be able to build up a sufficient profile of an individual to be able to complete a fraudulent life assurance application. It should be incumbent on organisations to issue a warning about the use of the same password across different accounts when users come to register with them to help protect against this possibility, particularly in light of the increasing number of data breach incidents," she said.