May 23 (Bloomberg) -- EBay Inc. faces possible probes by the Luxembourg and U.K. data-protection authorities into a cyber-attack that exposed passwords and personal information, adding to investigations in U.S. states.
Gerard Lommel, the head of Luxembourg’s privacy watchdog, said the regulator will decide next week whether to investigate the company over the data breach. U.K. Information Commissioner Christopher Graham said in a blog post that he’s “actively looking at the situation with a view to launching a formal investigation.”
A database containing encrypted passwords and personal information was breached from late February to early March, the San Jose, California-based company said May 21. EBay urged users to change their passwords, while noting that credit card numbers are stored separately and there was no evidence of unauthorized activity resulting from the breach.
Luxembourg has already told EBay that it “will expect answers” over the breach, Lommel said in a phone interview today. The country’s regulator would take charge of any data-protection investigation because it’s responsible “for all users that have signed a contract with EBay in Europe,” he said.
“This is a big deal and we will for sure stay in close contact with our colleagues in other data protection authorities in Europe,” Lommel said. “The first steps will be to see where the risks now are and what the company’s plans are to remedy the situation.”
EBay has reached out to relevant authorities to work with them and will continue to cooperate, Amanda Christine Miller, a spokeswoman for the company, said in an e-mail today.
“Nothing is more important to EBay than ensuring the security of our customers’ information and the protection of their data, and we are committed to doing the right thing for them,” Miller said. “We are committed to working with the relevant regulatory and governmental authorities to address their questions about this matter.”
Regulators usually take charge of compliance for U.S. companies that have European headquarters in their countries. EBay’s European base is in Luxembourg.
The U.K. can act if the country’s data-protection rules have been violated, Graham said in his blog post.
“There’s millions of U.K. citizens affected,” he said. “So far our work has been offering assistance to Luxembourg and providing advice to consumers.”
Attorneys general in Connecticut, Illinois and Florida said yesterday they would investigate the EBay breach, while New York Attorney General Eric Schneiderman said he had asked the company to provide affected customers with free credit monitoring.
To contact the editors responsible for this story: Anthony Aarons at firstname.lastname@example.org Stephen Farr