EBay Inc. (EBAY) is being probed by at least three states after the online marketplace revealed it was hit by a cyber-attack, triggering the latest call for free credit monitoring in the wake of identity theft at a U.S. retailer.
A database containing encrypted passwords and personal information was breached from late February to early March, the San Jose, California-based company said May 21. EBay urged users to change their passwords, while noting that credit card numbers are stored separately and there was no evidence of unauthorized activity resulting from the breach.
“The news that EBay has discovered a security breach involving customer data is deeply concerning,” New York Attorney General Eric Schneiderman, who hasn’t announced a formal investigation, said yesterday. “Our office has asked and fully expects EBay to provide free credit-monitoring services to customers impacted by this breach.”
EBay’s revelation follows high-profile consumer-data breaches at Michaels Corp., Neiman Marcus Group Ltd. and Target Corp. (TGT) that exposed information on millions of shoppers, leading to litigation and a call by some lawmakers for a national notification requirement. Attorneys general in Connecticut, Illinois and Florida said yesterday they would investigate the EBay breach, in addition to probes of the other cases.
In December, Minneapolis-based Target agreed to provide a year of free credit monitoring to New York victims of its credit and debit card data breach, Schneiderman announced at the time. His office requested that Target provide the service to ensure New York shoppers don’t become victims of identity theft, he said.
Target, the second-largest U.S. discount chain, said last year that data for about 40 million debit and credit cards may have been wrongfully accessed from Nov. 27 to Dec. 15.
Federal and state regulators and lawmakers have been grappling with how to sharpen disclosure rules as banks and retailers have been slow to inform the public about cyber-attacks and the loss of customer data. Companies including Target have disclosed breaches, which has affected share prices and in Target’s case was a contributing factor that led to the ouster of the chief executive officer.
Michaels, the world’s largest arts-and-crafts retailer, said Jan. 25 that it had learned of possible fraudulent activity on some U.S. payment cards that had been used at its stores, suggesting it may have experienced a data breach.
Earlier that month, Neiman Marcus, the Dallas-based luxury department store operator, said 1.1 million customer credit cards may have been compromised in a data breach that occurred last year.
EBay found no evidence that its financial or credit card information was compromised, Amanda Miller, a spokeswoman, said. “EBay users should not be concerned about increased financial or credit fraud,” she said.
EBay’s disclosure stands in contrast to the actions of three U.S. public companies that were recently identified as victims of hackers based in China. The companies, including Alcoa Inc. (AA) and Allegheny Technologies Inc. (ATI), didn’t report the theft of trade secrets and other data to investors, according to a Justice Department indictment unsealed on May 19.
To contact the reporters on this story: Chris Dolmetsch in New York State Supreme Court in Manhattan at
firstname.lastname@example.org; Christie Smythe in federal court in Brooklyn, New York, at