“Hackers are becoming far more opportunistic today and are frequently targeting easier pickings in an effort to gain access to systems and steal valuable data. In the last few years, most of the high-profile data thefts that have made the news have come about not through complex, large scale attacks that have used distributed or large-scale local networks of machines to breach security,” said Sergio Galindo, general manager of the Infrastructure Business unit at GFI Software, a company that develops web and mail security, as well as software for networking, security, archiving and more.
He has explained for Softpedia that hackers are more opportunistic these days and choose to simply exploit the “IT equivalent of an open window in an otherwise locked building,” weak passwords, staff information that’s easy to obtain, and open wireless network connections.
Galindo mentions that while reports so far have indicated that the hacking incident was facilitated by the lax employee data security, there could be more to the story, varying from weak and easily discoverable passwords to exploitation of insecure network devices in order to breach a system without raising any red flags.
“The potential damage to confidence and reputation is also not helped by the confirmation from eBay that the thefts announced today took place as far back as February. The reasons for the delay are not yet known, but we know from past examples that an early admission of a data loss helps minimize the negative impact on customer confidence,” said the GFI Software GM, pointing to the bad PR move from eBay.
Unfortunately, eBay won’t be the last company to fall prey to hack attacks that exploit the weak employee security practices, but this can serve as a learning point for any business.
Regular password changes can be a solution, as well as the reeducation of the staff about the real risks associated with keeping passwords jotted down on a piece of paper that’s left around for anyone to find.
145 million accounts have been affected by the eBay hack that took place between late February and early March. Email addresses, passwords, and personal information have been stolen, but the passwords are supposed to be encrypted and there’s no indication thus far that the security layer was broken.