How to Lose Customers the eBay Way

How to Lose Customers the eBay Way

And so, another domino falls. This week it was eBay’s turn to announce it had been the victim of a massive data breach. As befits such a revelation from what is, at present, the 23rd-most-visited website in the world, the news has been accorded headline status across the globe. And, as was the case with the Stratfor hack a few years ago, this one hits home.

I’ve been an eBay customer for over a decade. The site has helped me track down some rare records I might never have found otherwise, and my dealings with other users have been friendly, successful and straightforward. And while I don’t use it as much as I once did, it’s still good to know it’s there, as we all like to have options. All that, though, has now come to an end.

The details released so far are embarrassing for eBay, but – according to most of the media reports about the hack, which have kept close to the company’s own line – probably not too worrying for site users. Hackers appear to have gained access to a database containing records of some 145 million customers. The breach happened some time in February but was not detected until early May. In a statement on its corporate website, eBay said hackers had “compromised a small number of employee log-in credentials,” implying – though not explicitly confirming – that the attack relied on social engineering of employees with extensive database access.

As it tries to limit the damage, eBay is about to embark on a sizable publicity blitz, involving a doubtless expensive global ad campaign as well as direct emails that will roll out following its announcement to the press, to tell its users to change their passwords. We are told that, at some point soon, users logging in to the site will be forced to change their passwords, so some re-engineering of the entire global eBay platform is presumably underway. The share price has fallen, though not as yet by too much; costs will surely rise in the weeks ahead.

So far, this is the story as it’s played out in other media, and the picture painted is far from pretty for the internet giant (eBay, founded 19 years ago, has over 33,000 employees worldwide and turned over more than $16 billion in 2013). But it gets messier – and far more scary – the closer you look.

First up, the response to the breach, from a customer perspective, is lamentable. At the time of writing – around 9am on May 22, around 18 hours after the breach was announced but well over two weeks since eBay admits it knew about it – there is still no information about the hack, or the need to change passwords, on the home page. There is a notification on, but it appears only as one of five rotating banner ads at the top of the page, and isn’t there every time you visit the site. No email from eBay has arrived, despite – presumably – customer account information still being held by eBay (there is no suggestion that hackers destroyed eBay’s copies of the data, so it is unclear why customers have not been alerted directly).

The message this sends out is that eBay rates its customers’ right to access details of the breach and to receive timely information about it as being of considerably less importance than advising them of its “Memorial Day deals” or the 50% off available on some tech items. As a customer whose data have been stolen, the fact that I’m hearing about this from the BBC, the Guardian and Reuters, but not as yet from eBay, is some way short of encouraging.

But let’s be charitable and allow eBay a bit of time to alert their customers, and perhaps accept that going to the media first maybe makes a degree of sense. Quite quickly, the message has got through: unless an eBay user never looks at news sites online, doesn’t listen to the radio, read newspapers or watch TV, chances are they will be aware of this by now – and maybe that’s quicker and more reliable than a direct email, because we ought to be used to treating a “We’ve been hacked! Change your password now!” email with some degree of scepticism. Let’s further assume that the majority of customers will by now have found their way to the posting on the corporate blog that stands at present as the company’s view on the matter, and represents their full and frank advice to customers. Yet even if we cut the company this amount of slack, the response still falls a long way short of acceptable.

The opening of this online statement is all about the password reset, why it’s necessary, and contains an apology to customers that they’re going to have to go through the rigmarole involved. It seeks to reassure us that our password has been stored securely, and, while it has been stolen, it is not in a readable form. “Calm down,” we are told: “everything’s going to be OK. We’re sorry, but the chances of anything bad happening are pretty low.” Paragraph four, however, says something entirely different. “The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth,” it reads.

Excuse me? So you only encrypted the password? This means that all 145 million eBay customers are now at heightened risk of identity theft, and will need to be particularly diligent in coming weeks and months about any and every unsolicited incoming email or telephone call. To any social engineer worthy of the name, making malicious use of so extensive a set of information ought to be like shooting fish in a barrel.

As someone stung into action some time ago by another data breach at a much smaller online entity, I’ve already made sure that I use different, strong passwords at every site: of all the data eBay holds on me, the one bit I’m really not too bothered to have falling into the hands of criminals is the password – there’s nothing they can do with it which will harm me. Because my Paypal account uses a different email address as well as a different strong password, stealing my money isn’t going to be quite so straightforward: I’m optimistic those in possession of the eBay database will choose to target some of the other 144.9million account-holders in search of lower-hanging fruit. I’m presently also congratulating myself for my sloth – the postal address and phone number eBay holds for me is two house-moves out of date, but only because I never got round to updating it. This ought to make it that bit less likely that I’ll suffer through eBay-related identity theft, but not through any prescience on my part – and certainly not through eBay’s efforts to secure the information I provided to the company.

My date of birth hasn’t changed, though – and given how often one has to use that metric to obtain and access financial services, that’s a major headache. So while I’m personally relieved by my relatively limited exposure to risk, I’m acutely aware that most of those limits are the result of my own actions, not eBay’s: and if I’m doing a better job at keeping myself safe from online fraud than a multinational company with a multi-billion-dollar turnover, then something is desperately, sickeningly wrong.

How can a household-name company that interacts with its customers entirely through computer systems get away with storing its customer data in so insecure a way, and then claim – as eBay does, in its statement – that “Information security and customer data protection are of paramount importance” to it? This is clearly a fiction: if those things were of any importance at all, the data would have been stored securely, encrypted strongly, and staff given better training on how to avoid giving global customer database logon details to criminals. That eBay has failed to do any of these things adequately is bad enough: that they choose to try to hide just how bad a mess this is by stressing the stable-door/bolted-horse password-change measure suggests that they hold their customers in contempt.

There is, of course, only one logical response. It’s a shame, but I’ve not really got any alternative. I’ve closed my eBay account (or, at least, I’ve begun that process: it’s going to take eBay two weeks, apparently, to do this). I closed my Stratfor account because they kept my data in unencrypted form on insecure servers, so I’m just being a hypocrite if I don’t apply the same standards to other online businesses I deal with. If these companies won’t protect my data, I’ll have to do it myself – and if I don’t act, I’m just making the whole problem worse, by being a passive enabler of bad security.

So from hereon in, I’ll be looking for old records over at – it’s proved a happy hunting ground in the past, and they don’t require you to give them anywhere near as much personal data. Maybe if a few other people follow suit, and vote with their feet – take their business away from companies who have proved incapable of practicing acceptable levels of security and instead become customers of alternative vendors – some of these internet multinationals might start to realise that the savings they make by doing security on the cheap may not turn out to have been the shrewdest bit of business they ever conducted. It is difficult to predict how this situation will pan out, but the one thing I’m sure of is that if we don’t, as customers, put all the pressure we can on companies to do better with data security, we are merely shortening the time before we become victims not just of data theft, but of full-on, real-world, money-taken-from-us fraud.


Our accreditations & Partners

  • REC Member
  • VTC - Virtual Technology Cluster
  • RANT Events
  • Bloom Nepro
  • YPO
  • Crown Commerical Service
  • Disability Confident
  • ISO 9001
  • Armed Force Covenant
  • Cyber Essentials Plus
  • ISO 27001





Thank you for signing up to the acumin alerts.

Send CV

Send us your CV and have our recruiters match you to the ideal opportunities

Do you already have an account with us?

Log in

Want to have an account with us?


Want to just send us your CV?

Upload only doc, docx, odt, pdf format file.

By submitting your registration and CV to us you are agreeing to join our database and to be contacted about relevant jobs industry communications. Please read our terms of business for more information.

Password reset

If you need a reminder for your password, fill out the field below

Log in

Access your account to edit your contact details, job alerts or to upload a new CV

Thank you


Thank you for successfully uploading your CV.

Acumin Alerts


Thanks for registering for Acumin alerts.

Acumin Alerts

Unfortunately your CV could not be uploaded

Please make sure your CV is one of the following file types: doc, docx, odt, pdf, rtf

Acumin Spam

Unfortunately your submission has been declared spam. Please try again.



Thank you for submitting your vacancy.


Create an account to register your contact details, sign up for job alerts and upload your CV


Thanks for registering for Acumin alerts. To get the most out of Acumin's service why not register with us?

Upload only doc, docx, odt, pdf format file.
- Practitioner
- Commercial

I agree to the terms and conditions and to be contacted by recruiters:

I agree to receive marketing communications relevant to my job search:

I agree to receive Jobs By Email for the following professions:
- Business Continuity Management
- Counter Fraud
- Cyber Security
- Executive Management
- Governance & Compliance
- Information Security & Risk Management
- Penetration Testing & Digital Forensics
- Sales and Marketing
- Sales Engineering
- Security Management
- Technical Security
- Information/Risk Assurance
- Identity Management
- Application Security
- Security Architecture
- Dev/Sec Ops
- DV & SC Cleared Jobs
- Programme & Project Management

Submit a Vacancy

Use the form below to submit a vacancy