14 DAY TRIAL // Individuals whose data was compromised in the breach incident against eBay in February, 2014, are suing the company for inadequate security measures imposed for protecting sensitive customer information.
Although eBay’s systems were accessed without authorization by unknown individual(s) in February, the company did not notify its customers until May 21, 2014, after the incident had been reported in the media.
The lawsuit was filed this week by Collin Green on his behalf and other parties affected by the security event.
The details stolen from eBay’s database consisted of names, encrypted passwords, email and physical addresses, phone numbers and dates of birth, but other information may also be included.
According to the lawsuit complaint, “the combined claims of the proposed class members exceed $5,000,000 [€3,718,000] exclusive of interest and costs.”
As far as this breach is concerned, it appears that “eBay’s security was not only unreasonably lax in regard to intrusion, but eBay claims it remained unaware of the breaches for weeks, or months, after they occurred,” it is written in the document.
Moreover, the encryption applied to the passwords was not the strongest, but the “least safe method,” that did not feature hashing of the codes.
The complaint also says that the company took a conscious decision not to upgrade the security measures so that the yearly revenue stream (more than $4 / €2.97 billion) would not be affected.
eBay admitted in the 10-Q SEC filing for the first quarter of 2014 that security incidents were a constant threat for the business, and that the customer perception of the company not being secure would be detrimental to its financial results.
The lawsuit is filed for negligence, breaching The Stored Communications Act, breach of contract or of implied contract, of fiduciary duty, bailment, violation of multi-state privacy laws and of Fair Credit Reporting Act, among other complaints.
eBay collects and stores personal details of more than 120 million customers, as it is a huge marketplace for buyers and sellers who made transactions of about $205 / €152.2 billion in 2013.
When the company released the breach notice to its millions of customers in May 2014, it only asked them to change their passwords and offered no details about the compromise of additional personally identifiable information (PII), which could lead to identity theft.
“eBay’s profit-driven decision to withhold the fact of its security lapse further damaged the class members who were prevented from immediately mitigating the damages from the theft,” says the complaint.