SlideShare a Scribd company logo

Computer Security - Case Study

D
DamaineFranklinMScBE

This cyber security case study seeks to provide a comprehensive analysis of the data breach incident that occurred on the e-commerce trading platform eBay in February 2014. The data breach compromised the personal and identifiable information of 145 million eBay customers, including their usernames, encrypted passwords, dates of birth, names, addresses, and phone numbers. The cyber incident led to a widespread investigation which revealed that a hacktivist group calling themselves “Syrian Electronic” claimed responsibility for the attack, however, eBay did not confirm it. eBay’s reputation was significantly damaged because of this attack and the company suffered major financial losses due to reduced levels of e-commerce traffic caused by the security breach. Consequently, the subsequent headings will uncover additional details concerning this cyber incident.

Education
1 of 25
Download to read offline
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 1 UEL-CN-7016 Computer Security Assessment 1 A Cyber Security Case Study eBay Data Breach February 2014 Damaine Fabion Franklin Student #: R2104D12054733 08/26/2023
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 2 Table of Contents Abstract ........................................................................................................................................................................3 Introduction .................................................................................................................................................................3 Literature Review........................................................................................................................................................4 The Fundamental Aspects of Computer Security.................................................................................................4 Defining Computer Security?.............................................................................................................................5 The Principles of The CIA Triad & AAA..........................................................................................................5 Principles of Access Controls..............................................................................................................................8 Principles of Data Protection............................................................................................................................10 An Overview of the eBay Data Breach ................................................................................................................11 Discussion and Analysis ............................................................................................................................................12 The Incident ...........................................................................................................................................................12 Threat Actors & Motives ......................................................................................................................................12 Attack Vector.........................................................................................................................................................13 Exploited Vulnerabilities.......................................................................................................................................14 Recommendations......................................................................................................................................................17 Authentication and Access Control......................................................................................................................17 Adequate Encryption.............................................................................................................................................17 Network Defense....................................................................................................................................................18 Security Awareness Training................................................................................................................................19 Conclusions ................................................................................................................................................................19 References ..................................................................................................................................................................21
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 3 Abstract This cyber security case study seeks to provide a comprehensive analysis of the data breach incident that occurred on the e-commerce trading platform eBay in February 2014. The data breach compromised the personal and identifiable information of 145 million eBay customers, including their usernames, encrypted passwords, dates of birth, names, addresses, and phone numbers. The cyber incident led to a widespread investigation which revealed that a hacktivist group calling themselves “Syrian Electronic” claimed responsibility for the attack, however, eBay did not confirm it. eBay’s reputation was significantly damaged because of this attack and the company suffered major financial losses due to reduced levels of e-commerce traffic caused by the security breach. Consequently, the subsequent headings will uncover additional details concerning this cyber incident. Introduction According to a report published by the Ponemon Institute in 2015, the events of the year 2014 witnessed a notable occurrence of significant cybersecurity breaches and attacks against major companies in the United States. The magnitude of the attacks varies among companies such as Target, Sony Pictures, JPMorgan Chase & Co, Home Depot, Staples, Nieman Marcus, Michaels Stores, eBay, and CHS Community Health Systems (Ponemon Institute, 2015). In the context of this case study, the cyber incident under investigation is the data breach that occurred at the e-commerce trading platform eBay in 2014. According to Roberts (2018), In March 2014, 145 million eBay user accounts were compromised due to a spear-phishing campaign. Subsequently, eBay announced that the breach exposed its customers' personal and identifiable information such as their names, email addresses, physical addresses, phone numbers, and date
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 4 of birth. The impact of this data breach caused much concern regarding identity theft, and as a result, the company received widespread criticism over its handling of the incident, especially when it was disclosed that customers' personal and identifiable information was not secured with encryption (Roberts, 2018). In another report, IvyPanda (2020), stated that due to the severity of the cyber incident, eBay advised all its customers to urgently change their user credentials in order to prevent being hacked. Even though the financial data of eBay’s customers was not compromised, Roberts (2018) argued that eBay should have applied the same level of security to customers' data as it did to their financial data. The damage to eBay’s reputation was significant and it cost the company approximately $300 Million. According to both Roberts (2018) and IvyPanda (2020), the evidence seems to suggest that the attackers were primarily interested in the theft of customer’s personal information and not their financial data. Literature Review The Fundamental Aspects of Computer Security As business becomes increasingly reliant on the use of computer systems to enhance the management and automation of their business operations, the more computer security becomes vital to their business needs. As a result, businesses that lack adequate security controls to defend against security risks and cyber threats are vulnerable to attacks. Considering this fact, the remainder of this section will further elaborate on the fundamental aspects of computer security, beginning with a concise definition of computer security, followed by a discussion on the principles of the CIA Triad. Then a brief discussion on the AAA security framework and the role it plays in network management. It then explores data protection mechanisms such as cryptography and hashing algorithms. Followed by the principles of access control and
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 5 subsequently, it describes the realms of cybersecurity and how it can be useful in determining an effective incident response. Defining Computer Security? The concept known as computer security has been studied extensively and based on the reviews of several publications there does not appear to be a singular accepted definition of the term. However, in a 1984 publication, author R. C. Summer defined computer security as the concepts, techniques, and measures that are used to protect computing systems and the information they maintain against intentional or unintentional threats. In a more recent study, Sutton (2017) presents a comprehensive definition of the term by stating that computer security concerns the series of tools, methodologies, practices, standards, and policies that can be adopted to prevent or mitigate cyber threats and cybercrime such as identity theft, intellectual property theft, fraud, extortion, espionage, terrorism, and other internal and external factors that are security threats. With this understanding, the broadest sense of the term may be defined as the prevention and detection of unauthorized actions by users of a computer system (Shipsey, 2009). The Principles of The CIA Triad & AAA According to Bishop (2018), the principles of the CIA triad (Confidentiality, Integrity, and Availability) serve as the foundation of computer security and form the basis for the development of security systems. The author noted that the interpretation of each element of the CIA triad is contingent on a variety of factors, such as an organization's requirements, its environment, its customers, and the laws that govern the organization. Each element will be discussed and how they relate to computer security.
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 6 A. Confidentiality According to information obtained from Fortinet (2023), confidentiality in computer security refers to the mechanism used to safeguard sensitive data from unauthorized access, copying, sharing, and dissemination. Confidentiality of sensitive data on a computer system may be compromised by attack vectors such as man-in-the-middle attack whereby an attacker intercept and captures unencrypted data between a client and a server. A mechanism that supports confidentiality is access control which designates who is permitted or denied access to certain data, applications, or resources (Fortinet, 2023). Another mechanism which supports confidentiality is cryptography which converts plaintext data into unreadable cyphertext. The other is authentication and authorization which explicitly verifies the identity of users and ensures that these users are granted the appropriate level of access (Fortinet, 2023). B. Integrity Integrity in computer security refers to the mechanisms put in place to ensure that while data is at rest or in transit it is trustworthy and not tampered with (Fortinet, 2023). Data integrity is an important principle in computer security since it ensures the authenticity, accuracy, and reliability of the data. According to Fortinet (2023), data integrity may be compromised intentionally by insiders, unintentionally by someone making an honest mistake or by the consequences of inadequate computer security policies, protections. The mechanism used to ensure data integrity are nonrepudiation methods, hashing algorithms, cryptography, and digital signatures (Fortinet, 2023).
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 7 C. Availability According to Fortinet (2023), Availability in computer security refers to the mechanisms put in place to ensure that access to data and information systems is consistent and readily available to individuals with authorized access. This implies that all systems, networks, and applications must be functional and readily available at expected and at the appropriate times. Furthermore, data availability is an important element in computer security since it ensures business continuity and network redundancy within an organization. Without data availability, the confidentiality and integrity of data is meaningless (Fortinet, 2023). The most common threats to data availability are natural disasters, power outage, inadequate disaster recovery systems, and through intentional acts such as a denial-of-service attack (Fortinet, 2023). Data availability may be ensured through the implementation of multiple paths for network traffic to flow, uninterruptible power supplies, and a disaster recovery plan (Fortinet, 2023). D. Authentication Authorization & Accounting In the preceding discussion, it was noted that the principles of the CIA triad serve as the foundation of computer security. Similarly, according to Rensing et al. (2002), the principles of the AAA security framework work together to fulfill the objectives of computer security. According to Rensing et al. (2002), the initial letter in a sequential order denotes Authentication, which pertains to the process of verifying the identity of a user accessing a computer system. With Authentication users of a computer system must prove who they say they are by providing either of the authentication factors (something you know, something you have or something you are). The second letter denotes Authorization, which according to Rensing et al. (2002), refers to granting the appropriate levels of access to users of a computer system in accordance with their
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 8 credentials. The authors noted that, Authorization is directly linked to the principles of least privilege, which states that users, devices, databases, and applications should be granted just enough permission to perform their designated tasks or functions (Rensing, et al., 2002). The letter "A" in the acronym signifies Accounting, which, as stated by Rensing et al. (2002), is a crucial component in computer security because its primary function involves monitoring and recording user activities while accessing a computer system. Accounting can prove to be highly beneficial when accessing systems logs for cyber incidents and valuable in forensic investigation (Rensing, et al., 2002). Principles of Access Controls According to Vimercati, et al. (2002), the proliferation of information technology and the widespread use of computer systems for collecting, retrieving, and sharing data has increased the need for enforcing information security measures. Such measures ensure the protection of data against unauthorized access, and modification, as well as the guarantee of its availability to legitimate users. In the context of an organizational setting, it is imperative that all employees are granted access to systems resources. However, it is equally important to acknowledge that not all employees will be granted equal levels of access to those resources. In a book titled “Fundamentals of Computer Security,” the authors explained that the objects within a computer system have a well-defined collection of access operations that specify how a subject can manipulate an object. Such operations entail functions such as read, write, execute, view, modify, or full control among others (Pieprzyk, et al., 2003). The authors noted that, within a computer system, a subject or user is usually granted specific access operations to perform designated tasks. This is what Pieprzyk, et al. (2003) describes as access privilege, permission, or
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 9 access control. The primary purpose of access control according to Vimercati, et al. (2002) and Mudarri (2015), is to control access to a system and its resources by limiting the operations of a subject to ensure that only authorized access can occur. In an access control illustration taken from Pieprzyk, et al. (2003), the authors stated whenever a subject wishes to access an object to perform some specific operation (read, write, execute, etc.), the access control checks whether the subject has the corresponding access permissions to the object. If the subject holds the appropriate permissions, access is granted, otherwise it denies access to the object. Pieprzyk, et al. (2003), added that the management of access rights is based on the established regulations or policies of an organization. This means that a subject may fall in the access control list of either Mandatory, Discretionary, or Role-based access control. According to Mudarri (2015), subjects with mandatory access control are granted security clearance to objects with hierarchical levels of security sensitivity, which is either secret, top secret, unclassified, or confidential. In other words, a subject will only be required to access certain objects if he or she possesses the necessary security clearance. Discretionary access control, on the other hand, grants the subject complete control over an object and allows it to designate access permissions at its own discretion (Mudarri, 2015). In addition, role-based access control grant access to specific resources based on the subject's assigned role. This means that the subject is assigned to a role and the object is assigned to a group. Therefore, the subjects are granted access based on the assigned role, however, the access rights are based on the group where the object resides. Of the three categories of access control, role-based access control is the most common and most secure employed by organizations.
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 10 Principles of Data Protection Another fundamental aspect of computer security is the principles of cryptography, which aims to facilitates and guarantee data confidentiality, integrity, authentication, and non- repudiation (Vacca, 2009, p. 30). According to Liu (2009), the fundamental principle of cryptography is predicated on the concept of encryption and decryption. The author explained that encryption occurs when readable plaintext data is converted into unreadable ciphertext using an algorithm called a cipher. In addition, the purpose of encryption is to ensure that information is hidden from anyone for whom it is not intended. In contrast to encryption, decryption occurs when the ciphertext is converted back to its original plaintext. According to Kessler (2006), there are three categories of cryptographic schemes used to achieve its objectives, namely: asymmetric cryptography (public key), symmetric cryptography (private key) and hashing functions. The author explained that with Symmetric encryption both the sender and receiver of a message share a single private key, which is used to encrypt and decrypt the message. The strength of the encryption is dependent on the cipher used, which can be AES, RSA, Triple DES, or Blowfish. Furthermore, Kessler (2006) explained that asymmetric encryption employes the use of two keys, a private key for encrypting plaintext data and a public key for decrypting cyphertext data. Accordingly, Kessler (2006) noted that hashing functions uses no public or private key since the plaintext data is not recoverable from the ciphertext. Instead, a hashing function is used to convert the plaintext of any length into a hashing value of a fixed length known as a message digest. According to the author, the hash function guarantees that if the information is altered in any way, a completely different output value will be generated. The resulting output value cannot be reversed to determine the original data.
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 11 An Overview of the eBay Data Breach According to Balushi (2015), not enough scholarly and peer reviewed research has been conducted on the data breach that eBay encountered. Consequently, this study relied on news articles, reports, and website articles from reputable outlets. According to CNBC (2014), eBay had announced that hackers intruded their network, accessed, and compromised the user accounts of 145 million of its customers. The report found that the hackers only compromised customers’ personal and identifiable information but not their financial data which was encrypted and stored differently. CNBC News further added that the success of the attack was found to be the compromised credentials of a small number of eBays employees. After they gained access, Kelly (2014) noted that the hackers further gained access to the entire database of eBays platform. As a result of the severity of the incident eBay advised its customers that they should change their credentials to avoid being hacked. Following the discovery of the incident, three American states Connecticut, Illinois and Florida has launched a federal investigation into the matter (CNBC, 2014). Based on the number of accounts compromised, CNBC reported that the incident has gained reputation as one of the biggest breaches in history.
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 12 Discussion and Analysis The Incident According to Balushi (2015), between late February and early March, eBay experienced a data breach that compromises the personal and identifiable information of 145 million of its customers. Due to the severity of the attack, eBay notified its customers via email on May 21, 2014, that they should immediately change their passwords informing them of the potential compromised (Balushi, 2015). During that, it was reported that a major flaw was discovered with eBays poor response to its customers is that. The report found that eBay at the time of discovery had no warning notice set on its website and its customers were notified just two weeks after they became aware of the incident (The Available Digest, 2014). Threat Actors & Motives According to IvyPanda (2020), there were several speculations regarding the motives of the people who hacked eBay and what they wanted to achieve. Based on the method of the attack and what was compromised it had been suggested that the attackers could have only wanted to undermine the authority of eBay and damage their reputation. An assertion surrounding this argument lies in the fact that eBay has always been one of the world’s foremost and largest online marketplaces, which enable user to buy, sell, trade and conduct transactions online (eBay, 2014). Another suggestion is that this attack could be an attempt just to show eBay that their systems are vulnerable, unsafe, and easily damaged. Regardless of the motive of the cybercriminals, an interesting fact that came out of this attack is that the attackers had sufficient time at their disposal to avoid getting caught. As a result of this attack, millions of eBay’s
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 13 customers lost their personal and identifiable information, making it one of the most famous cyber-attacks in 2014 (IvyPanda, 2020). After the attack, eBay’s hired a forensic investigation firm to help investigate the incident. A hacktivist group calling themselves “Syrian Electronics Army” claimed responsibility for the attack how it has not been confirmed by eBay (Paganini, 2014). Attack Vector According to Singh (2020), the credentials of three eBay employees were compromised, allowing the hackers to access eBay's internal network and exfiltrate unencrypted customer personal and identifying data. It had been presumed by several authors that the attack method used to obtain the login credentials had been by a spear phishing attack. This assertion is supported by Sigh (2020) who believes that phishing attacks is one of the most common ways the passwords of eBays employees could have been stolen, given that people typically use the same password across platforms. In addition, eBay warned its customers to anticipate an increase in fraudulent phishing emails in the aftermath of the attack (The Available Digest, 2014). Furthermore, Al Pascual a recognized security analyst on cybercrime stated that the employees’ credentials were likely compromised by a spear phishing attack (Roman, 2014). Based on the evidence, phishing remains the identified threat vector that led to the data breach at eBay. After compromising the stolen credentials, the attackers used them to infiltrate eBay's internal network. Once inside the network, they remained undetected for more than two months according to Roman (2014). The fact that the attack against eBay was carried out using legitimate employee credentials made it that much more difficult to detect (Singh, 2020).
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 14 Exploited Vulnerabilities Although eBay stated that the data breach was caused by the compromised passwords of three of its employees, several other vulnerabilities were discovered by third parties after the breach was made public. According to Paganini (2014), the vulnerabilities identified were: cross- site scripting (XSS), uploaded shell on eBay server, and Account Hijacking. According to Paganini (2014), eBay had been notified on multiple occasions of the presence of a potentially dangerous cross-site scripting vulnerability on its auction webpage. Despite multiple attempts to notify eBay, Paganini (2014) discovered that the company did not take any action to patch the vulnerability throughout that period. The author stated that this vulnerability would allow an attacker to carry out an XSS attack, wherein they can inject malicious HTML or JavaScript codes into a legitimate webpage. This code according to author would contain a payload which when visited would redirect eBays customers to a phishing login page to steal their user’s credentials. According to Vaas (2016), the identification of a XSS attack on eBay’s auction webpage by its consumers would have posed a challenge, as it would have required a thorough examination of the URL and a certain level of technical expertise to understand the appearance of html or JavaScript elements. The second vulnerability discussed by Paganini (2014), involved the use of a backdoor shell which was discovered on eBays website. The author noted that this vulnerability could allow an attacker to upload a backdoor shell on eBay’s web server with the aim to control it. The third vulnerability found was account hijacking which was discovered after eBay made their public disclosure of the incident (Paganini, 2014). The author noted that this attack exploited eBays forget password feature, allowing the attackers to hijack millions of user accounts. According to Khandelwal (2014), this vulnerability was
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 15 reported to eBay after the data breach had occurred in May 2014. The author explained that the attacker would first submit a forgotten password request to eBay by entering the victim’s email or username. eBay then responds via email with a password reset page which is visible to both the attacker and the victim. After the victim provides his or her email and presses submit, eBay then responds with another email with a password reset link associated with the victim’s email which is only visible to the victim and not the attacker. Upon clicking the password reset link, the victim is redirected to an eBay webpage that offers the option to set a new password. The user is required to enter this new password twice and afterwards submit it in order to successfully reset their eBay account password. According to Khandelwal (2014), the attacker intercepts the change password request sent by the victim, then forwards a malicious change your password link to the intended victim disguising it as a legitimate response from eBay. When the user clicks on that link and changes his or her password it is visible to the attacker. Figure 1: eBay's Account Hijacking vulnerability (Khandelwal, 2014)
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 16 There was also a fourth vulnerability which Paganini (2014) also discussed. The author noted that eBay allows its customers to reuse the same login cookies even if they are logged out or have reset their password. This poses a security risk as the attackers could harvest those cookies and exfiltrate their login credentials. In a separate article, Singh (2020) discussed additional vulnerabilities that may have contributed to the success of the eBay data breach. The author noted that prior to the attack, eBay lacked basic security features such as two factor authentication. Singh (2020) argued that if eBay had implemented 2FA then the data breach would not have been possible as the attackers easily gained access to eBay’s internal network and co promised sensitive information. Furthermore, according to Singh (2020), the lack of awareness training presents a vulnerability that can be exploited by attackers. The author stated that eBays reputational damage, trust and millions of dollars could have been averted if its employees were trained on how to identify basic cyber threat tactics. Singh (2020) highlights a further significant vulnerability, wherein despite the fact that eBay had a functioning firewall, it proved insufficient in detecting the data breach in a timely manner. The author argued that eBay had been unable to detect the network intrusion for more than two months, during which time the attackers had already made significant progress in its network. Such a flawed detection system provided the attackers with sufficient time they needed to gain access to eBay’s system and exfiltrate all the data they wanted. In the aftermath of this attack, Singh (2020) noted that customers' trust in eBay had diminished, primarily because eBay lacked the necessary controls to safeguard their personal and identifiable information, which was likely to result in identity theft.
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 17 Recommendations One of the primary failures observed in the eBay data breach incident pertains to the organization's inability to detect the intrusion in a timely manner. Additionally, there was a deficiency in the implementation of adequate protective measures to safeguard customer sensitive information, and a failure to fulfill the responsibility of notifying affected customers about the incident, thereby impeding their ability to take necessary steps to secure their sensitive data. As a result, this section’s aim is to recommend several preventative measures based on the vulnerabilities identified in the eBays data breach incident. A. Authentication and Access Control According to Singh (2020), eBay lacked adequate authentication protocols such as two factor authentication at the time of the attack. The author argued that if eBay had implemented two-factor authentication, it would have made it more difficult for the attackers to gain access to its internal network because two factor authentication adds an additional layer of security to the login process. The second factor may include something you such as an extra password or pin, something you possess such as an RSA token, or something you inherit such human biometrics. B. Adequate Encryption The incident analysis revealed that the primary reason the attackers were unable to compromise and exfiltrate sensitive financial data was because it was encrypted and stored on a distinct server. This proves that adequate encryption proves to be effective in ensuring data confidentiality and preventing unauthorized access. From this incident, it was discovered that
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 18 eBay did not secure its customers sensitive data with encryption. If eBay had done were protected with robust encryption, it would be difficult for an attacker to obtain access and compromise 145 million customers sensitive information. Data encryption involves the utilization of both a public and private key to ensure the security of the information. Without possessing the appropriate key, decryption of the data becomes unattainable, hence maintaining data confidentiality and preventing unauthorized access. Even though some attackers will attempt to access confidential messages without the correct key, it will take so long to locate the correct key that it becomes practically impossible. C. Network Defense According to Singh (2020), even though eBay had a functioning firewall to defend its network, it proved insufficient in detecting the data breach in a timely manner. The author argued that eBay had been unable to detect the network intrusion for more than two months, during which time the attackers had already made significant progress in its network. Such a flawed detection system provided the attackers with sufficient time they needed to gain access to eBay’s system and exfiltrate all the data they wanted. While the implementation of firewalls, when appropriately configured, enhances network security, eBay's network could have been further fortified by incorporating other measures such as an intrusion detection system, an intrusion prevention system, or a honeypot to mitigate unauthorized access. The implementation of additional network defense measures would enhance eBay’s ability to detect a network intrusion in a timelier manner, given that the attackers were present on eBay’s network for more than two months. These additional controls would also assist eBay in responding to cyber threats proactively and prioritize resources accordingly.
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 19 D. Security Awareness Training Implementing comprehensive security awareness training is an effective strategy for protecting an organization's data, applications, and network against risks and malicious cyber threats. According to Singh (2020), the lack of awareness training presents a vulnerability that can be exploited by attackers. The author stated that eBays reputational damage, trust and millions of dollars could have been averted if its employees were trained on how to identify basic cyber threat tactics. By far the most important lesson learned from the eBay data breach is the need to establish a security culture that involves all employees. Security awareness training are an effective way of teaching employees about the tactics used in phishing and social engineering scams. Conclusions In conclusion, the data compromise that occurred at eBay between late February and early March, 2014 resulted in severe damaged the company's reputation, and according to multiple sources, it was among the most severe attacks in the history of the Internet (IvyPanda, 2020). The existing security controls implemented by eBay were not sufficient enough to prevent the intrusion as the attackers were able to easily access its internal network and remain undetected for more than two months. If eBay had more resilient and proactive security controls in place to detect and respond to the incident sooner, the incident could have been avoided. Although, the financial information of eBays customer were not compromised, the reputational damage is so significant that its customers have lost trust in the company to secure their sensitive data. Based on the findings of Roberts (2014), eBay incurred an approximate financial loss of $300 million as a result of the data breach. To mitigate the risk of future attack, it is imperative
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 20 that eBay implements robust security controls for preventing unauthorized access to it internal network and sensitive customer data.
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 21 References Balushi, B. M. A., 2015. An Analysis of eBay's Communication Resposnse to the Hacking Crisis and the Impact on Users Trust and Behavioural Intentions. International Journal of Arts & Sciences,, 8(7), pp. 161-199. Bishop, M., 2018. Computer Security Art and Science, 2nd Edition. In: Chapter 1: An Overview of Computer Security. s.l.:Addison-Wesley Professional, pp. 257-258. CNBC, 2014. Hackers raid eBay in historic breach, access 145M records, s.l.: CNBC News. eBay, 2014. eBay Inc. To Ask eBay Users To Change Passwords. [Online] Available at: https://www.ebayinc.com/stories/news/ebay-inc-ask-ebay-users-change-passwords/ [Accessed 25 August 2023]. Envision IT Solutions, 2022. What is Two-Factor Authentication and its Advantages. [Online] Available at: https://blog.envisionitsolutions.com/what-is-two-factor-authentication-and-its- advantages [Accessed 27 August 2023]. Fortinet, 2023. CIA Triad. [Online] Available at: https://www.fortinet.com/resources/cyberglossary/cia-triad [Accessed 22 August 2023]. Gilbert, J. O., 2014. eBay Hacked, Urges All Members to Change Passwords Immediately. [Online] Available at: https://finance.yahoo.com/news/ebay-hacked-urges-all-members-to-change- passwords-86405258249.html [Accessed 25 August 2023]. IvoryResearch, 2021. Information Systems Strategy Analysis of eBay Company. [Online] Available at: https://www.ivoryresearch.com/samples/information-systems-strategy-analysis-of-
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 22 ebay-company/ [Accessed 21 August 2023]. IvyPanda, 2020. Cyber Attack on eBay Company: The Summer of 2014 Report. [Online] Available at: https://ivypanda.com/essays/cyber-attack-on-ebay-company-the-summer-of-2014/ [Accessed 25 August 2023]. IvyPanda, 2020. Cyber Attack on eBay Company: The Summer of 2014.. [Online] Available at: https://ivypanda.com/essays/cyber-attack-on-ebay-company-the-summer-of-2014 [Accessed 21 August 2023]. Khandelwal, S., 2014. Hacking any eBay Account in Just 1 Minute. [Online] Available at: https://thehackernews.com/2014/09/hacking-ebay-accounts.html [Accessed 26 August 2023]. Liu, D., 2009. Chapter 3 - An Introduction To Cryptography. In: Next Generation SSH2 Implementation. s.l.:Syngress, pp. 41-64. Montalvo, M., 2022. What Is The Driving Force Of Successful Business Automation?. [Online] Available at: https://www.forbes.com/sites/forbesbusinesscouncil/2022/05/19/what-is-the- driving-force-of-successful-business-automation/ [Accessed 22 August 2023]. Mudarri, T., 2015. Security Fundamentals: Access Control Models. International Journal of Interdisciplinarity in Theory and Practice, pp. 259-262. Paganini, P., 2014. Ebay and PayPal hacked by Syrian Electronic Army, “For denying Syrian citizens the ability to purchase online products” said SEA.. [Online] Available at: https://securityaffairs.co/21838/hacking/ebay-paypal-hacked-syrian-electronic- army.html [Accessed 26 August 2023].
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 23 Paganini, P., 2014. Security experts have discovered three new critical eBay vulnerabilities, the privacy and data of more than 145 million users is still at risk.. [Online] Available at: https://securityaffairs.com/25177/hacking/critical-ebay-vulnerabilities.html [Accessed 26 August 2023]. Pieprzyk, J., Hardjono, T. & Seberry, J., 2003. Chapter 17: Access Control. In: Fundamentals of Computer Security . s.l.:Springer-Verlag Berlin Heidelberg, pp. 565-589. Ponemon Institute, 2015. 2014: A Year of Mega Breaches, Traverse City: Ponemon Institute© Research Report . Rensing, C., Karsten, M. & Stiller, B., 2002. AAA: A Survey and aPolicy-Based Architecture and Framework. IEEE Network, 16(6), pp. 22-27. Roberts, S., 2018. Learning lessons from data breaches. Network Security , 2018(11), pp. 8-11. Roman, J., 2014. eBay Breach: 145 Million Users Notified. [Online] Available at: https://www.bankinfosecurity.com/ebay-a-6858 [Accessed 26 August 2023]. Shipsey, R., 2009. Computer Security . In: Chapter 1: Security . London: University of London, p. 1. Singh, G., 2020. eBay 2014 data breach: With Big Data comes Big Responsibility. [Online] Available at: https://www.skillsire.com/read-blog/266_ebay-2014-data-breach-with-big-data- comes-big-responsibility.html [Accessed 26 August 2023]. Summers, R. C., 1984. An overview of computer security. IBM Systems Journal, 23(4), pp. 309- 325. The Available Digest, 2014. eBay’s Slow Response to Data Hack, s.l.: Sombers Associates, Inc., and W. H. Highleyman.
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 24 Vacca, J. R., 2009. Chapter 2: Data Encryption. In: Cyber Security and IT Infrastructure Protection. s.l.:Elsevier Science & Technology, pp. 1-46. Vimercati, S. D. C., Paraboschi, S. & Samarati, P., 2002. Access Control: Principles and Solutions. Software Practice and Experience, 2(12), pp. 1-7.
A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 25

Recommended

Cyclone/Hydrocyclone separator
Cyclone/Hydrocyclone separatorCyclone/Hydrocyclone separator
Cyclone/Hydrocyclone separatorAli Murtaza
 
Porosity and types
Porosity and typesPorosity and types
Porosity and typessami ullah
 
Porosity
Porosity Porosity
Porosity M.T.H Group
 
DARCY’S LAW
DARCY’S LAWDARCY’S LAW
DARCY’S LAWPramoda Raj
 
Permeability
Permeability Permeability
Permeability M.T.H Group
 
Rock Compressibility
Rock CompressibilityRock Compressibility
Rock CompressibilityM.T.H Group
 
PermEability
PermEabilityPermEability
PermEabilitysummiya iftikhar
 
Hydrogeology
HydrogeologyHydrogeology
HydrogeologyPramoda Raj
 

Recommended

Cyclone/Hydrocyclone separator
Cyclone/Hydrocyclone separatorCyclone/Hydrocyclone separator
Cyclone/Hydrocyclone separatorAli Murtaza
 
Porosity and types
Porosity and typesPorosity and types
Porosity and typessami ullah
 
Porosity
Porosity Porosity
Porosity M.T.H Group
 
DARCY’S LAW
DARCY’S LAWDARCY’S LAW
DARCY’S LAWPramoda Raj
 
Permeability
Permeability Permeability
Permeability M.T.H Group
 
Rock Compressibility
Rock CompressibilityRock Compressibility
Rock CompressibilityM.T.H Group
 
PermEability
PermEabilityPermEability
PermEabilitysummiya iftikhar
 
Hydrogeology
HydrogeologyHydrogeology
HydrogeologyPramoda Raj
 
Groundwater Investigation Techniques-Geophysical Methods
Groundwater Investigation Techniques-Geophysical MethodsGroundwater Investigation Techniques-Geophysical Methods
Groundwater Investigation Techniques-Geophysical MethodsGowri Prabhu
 
Drilling methods
Drilling methodsDrilling methods
Drilling methodsChairul Abdi
 
Introduction to Reservoir Rock & Fluid Properties
Introduction to Reservoir Rock & Fluid PropertiesIntroduction to Reservoir Rock & Fluid Properties
Introduction to Reservoir Rock & Fluid PropertiesM.T.H Group
 
Lecture 07 permeability and seepage (11-dec-2021)
Lecture 07 permeability and seepage (11-dec-2021)Lecture 07 permeability and seepage (11-dec-2021)
Lecture 07 permeability and seepage (11-dec-2021)HusiShah
 
Wettability
WettabilityWettability
WettabilityNizakat Hyder
 
Aquifer Parameter Estimation
Aquifer Parameter EstimationAquifer Parameter Estimation
Aquifer Parameter EstimationC. P. Kumar
 
Groundwater occurrence, Rock properties affecting groundwater, Soil classific...
Groundwater occurrence, Rock properties affecting groundwater, Soil classific...Groundwater occurrence, Rock properties affecting groundwater, Soil classific...
Groundwater occurrence, Rock properties affecting groundwater, Soil classific...Naresh Kumar
 
Q923+rrl+l04
Q923+rrl+l04Q923+rrl+l04
Q923+rrl+l04AFATous
 
Flyash disposal and utilization
Flyash disposal and utilizationFlyash disposal and utilization
Flyash disposal and utilizationJyoti Kumari
 
The reservoir (rock porosity and permeability)
The reservoir (rock porosity and permeability)The reservoir (rock porosity and permeability)
The reservoir (rock porosity and permeability)salahudintanoli
 
Ground water sampling & Analysis technique
Ground water sampling & Analysis techniqueGround water sampling & Analysis technique
Ground water sampling & Analysis techniqueEr. Atun Roy Choudhury
 
Porosity
PorosityPorosity
Porositysami ullah
 
Properties of reservoir rocks
Properties of reservoir rocksProperties of reservoir rocks
Properties of reservoir rocksuos
 
Aeration and Types of Aerators
Aeration and Types of AeratorsAeration and Types of Aerators
Aeration and Types of AeratorsVenkata Sai Kari
 
Water sampling methods and tools
Water sampling methods and toolsWater sampling methods and tools
Water sampling methods and toolsPraveen Kumar Singh
 
Principles of groundwater flow
Principles of groundwater flowPrinciples of groundwater flow
Principles of groundwater flowPutika Ashfar Khoiri
 
Permeability
PermeabilityPermeability
PermeabilitySabeh Khan
 
Porosity and permeability
Porosity and permeabilityPorosity and permeability
Porosity and permeabilityAbu Ikhtiar Alom
 
Venturimeter : Working,Construction,Applications ,Numerical
Venturimeter : Working,Construction,Applications ,NumericalVenturimeter : Working,Construction,Applications ,Numerical
Venturimeter : Working,Construction,Applications ,NumericalSINY MARY LONA
 
Pumping test
Pumping testPumping test
Pumping testUsama Waly
 
Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyCSCJournals
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 

More Related Content

What's hot

Groundwater Investigation Techniques-Geophysical Methods
Groundwater Investigation Techniques-Geophysical MethodsGroundwater Investigation Techniques-Geophysical Methods
Groundwater Investigation Techniques-Geophysical MethodsGowri Prabhu
 
Introduction to Reservoir Rock & Fluid Properties
Introduction to Reservoir Rock & Fluid PropertiesIntroduction to Reservoir Rock & Fluid Properties
Introduction to Reservoir Rock & Fluid PropertiesM.T.H Group
 
Lecture 07 permeability and seepage (11-dec-2021)
Lecture 07 permeability and seepage (11-dec-2021)Lecture 07 permeability and seepage (11-dec-2021)
Lecture 07 permeability and seepage (11-dec-2021)HusiShah
 
Aquifer Parameter Estimation
Aquifer Parameter EstimationAquifer Parameter Estimation
Aquifer Parameter EstimationC. P. Kumar
 
Groundwater occurrence, Rock properties affecting groundwater, Soil classific...
Groundwater occurrence, Rock properties affecting groundwater, Soil classific...Groundwater occurrence, Rock properties affecting groundwater, Soil classific...
Groundwater occurrence, Rock properties affecting groundwater, Soil classific...Naresh Kumar
 
Q923+rrl+l04
Q923+rrl+l04Q923+rrl+l04
Q923+rrl+l04AFATous
 
Flyash disposal and utilization
Flyash disposal and utilizationFlyash disposal and utilization
Flyash disposal and utilizationJyoti Kumari
 
The reservoir (rock porosity and permeability)
The reservoir (rock porosity and permeability)The reservoir (rock porosity and permeability)
The reservoir (rock porosity and permeability)salahudintanoli
 
Ground water sampling & Analysis technique
Ground water sampling & Analysis techniqueGround water sampling & Analysis technique
Ground water sampling & Analysis techniqueEr. Atun Roy Choudhury
 
Properties of reservoir rocks
Properties of reservoir rocksProperties of reservoir rocks
Properties of reservoir rocksuos
 
Aeration and Types of Aerators
Aeration and Types of AeratorsAeration and Types of Aerators
Aeration and Types of AeratorsVenkata Sai Kari
 
Water sampling methods and tools
Water sampling methods and toolsWater sampling methods and tools
Water sampling methods and toolsPraveen Kumar Singh
 
Venturimeter : Working,Construction,Applications ,Numerical
Venturimeter : Working,Construction,Applications ,NumericalVenturimeter : Working,Construction,Applications ,Numerical
Venturimeter : Working,Construction,Applications ,NumericalSINY MARY LONA
 

What's hot (20)

Groundwater Investigation Techniques-Geophysical Methods
Groundwater Investigation Techniques-Geophysical MethodsGroundwater Investigation Techniques-Geophysical Methods
Groundwater Investigation Techniques-Geophysical Methods
 
Drilling methods
Drilling methodsDrilling methods
Drilling methods
 
Introduction to Reservoir Rock & Fluid Properties
Introduction to Reservoir Rock & Fluid PropertiesIntroduction to Reservoir Rock & Fluid Properties
Introduction to Reservoir Rock & Fluid Properties
 
Lecture 07 permeability and seepage (11-dec-2021)
Lecture 07 permeability and seepage (11-dec-2021)Lecture 07 permeability and seepage (11-dec-2021)
Lecture 07 permeability and seepage (11-dec-2021)
 
Wettability
WettabilityWettability
Wettability
 
Aquifer Parameter Estimation
Aquifer Parameter EstimationAquifer Parameter Estimation
Aquifer Parameter Estimation
 
Groundwater occurrence, Rock properties affecting groundwater, Soil classific...
Groundwater occurrence, Rock properties affecting groundwater, Soil classific...Groundwater occurrence, Rock properties affecting groundwater, Soil classific...
Groundwater occurrence, Rock properties affecting groundwater, Soil classific...
 
Q923+rrl+l04
Q923+rrl+l04Q923+rrl+l04
Q923+rrl+l04
 
Flyash disposal and utilization
Flyash disposal and utilizationFlyash disposal and utilization
Flyash disposal and utilization
 
The reservoir (rock porosity and permeability)
The reservoir (rock porosity and permeability)The reservoir (rock porosity and permeability)
The reservoir (rock porosity and permeability)
 
Ground water sampling & Analysis technique
Ground water sampling & Analysis techniqueGround water sampling & Analysis technique
Ground water sampling & Analysis technique
 
Porosity
PorosityPorosity
Porosity
 
Properties of reservoir rocks
Properties of reservoir rocksProperties of reservoir rocks
Properties of reservoir rocks
 
Aeration and Types of Aerators
Aeration and Types of AeratorsAeration and Types of Aerators
Aeration and Types of Aerators
 
Water sampling methods and tools
Water sampling methods and toolsWater sampling methods and tools
Water sampling methods and tools
 
Principles of groundwater flow
Principles of groundwater flowPrinciples of groundwater flow
Principles of groundwater flow
 
Permeability
PermeabilityPermeability
Permeability
 
Porosity and permeability
Porosity and permeabilityPorosity and permeability
Porosity and permeability
 
Venturimeter : Working,Construction,Applications ,Numerical
Venturimeter : Working,Construction,Applications ,NumericalVenturimeter : Working,Construction,Applications ,Numerical
Venturimeter : Working,Construction,Applications ,Numerical
 
Pumping test
Pumping testPumping test
Pumping test
 

Similar to Computer Security - Case Study

Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyCSCJournals
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015Robert Craig
 
Running head EFFECTS OF ARTIFICIAL INTELLIGENCE ON PRIVACY AND SE.docx
Running head EFFECTS OF ARTIFICIAL INTELLIGENCE ON PRIVACY AND SE.docxRunning head EFFECTS OF ARTIFICIAL INTELLIGENCE ON PRIVACY AND SE.docx
Running head EFFECTS OF ARTIFICIAL INTELLIGENCE ON PRIVACY AND SE.docxjeanettehully
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSRandall Chase
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarJudgeEagle
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyMark Albala
 
The digital economy and cybersecurity
The digital economy and cybersecurityThe digital economy and cybersecurity
The digital economy and cybersecurityMark Albala
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case StudyAngilina Jones
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015James Sheehan
 
Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonnORagh
 
Operational CyberSecurity Final Case Report
Operational CyberSecurity Final Case ReportOperational CyberSecurity Final Case Report
Operational CyberSecurity Final Case ReportJames Konderla
 
Cybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature ReviewCybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature ReviewEnow Eyong
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonUlf Mattsson
 

Similar to Computer Security - Case Study (20)

Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In Technology
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
U session 9 cyber risk-insurance conf_marcus_evans_rj_craig_15jan2015
 
Running head EFFECTS OF ARTIFICIAL INTELLIGENCE ON PRIVACY AND SE.docx
Running head EFFECTS OF ARTIFICIAL INTELLIGENCE ON PRIVACY AND SE.docxRunning head EFFECTS OF ARTIFICIAL INTELLIGENCE ON PRIVACY AND SE.docx
Running head EFFECTS OF ARTIFICIAL INTELLIGENCE ON PRIVACY AND SE.docx
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
How to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jarHow to protect the cookies once someone gets into the cookie jar
How to protect the cookies once someone gets into the cookie jar
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economy
 
The digital economy and cybersecurity
The digital economy and cybersecurityThe digital economy and cybersecurity
The digital economy and cybersecurity
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case Study
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015
 
Eamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E CommerceEamonn O Raghallaigh Major Security Issues In E Commerce
Eamonn O Raghallaigh Major Security Issues In E Commerce
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Operational CyberSecurity Final Case Report
Operational CyberSecurity Final Case ReportOperational CyberSecurity Final Case Report
Operational CyberSecurity Final Case Report
 
Cybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature ReviewCybersecurity Business Risk, Literature Review
Cybersecurity Business Risk, Literature Review
 
Who is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattssonWho is the next target and how is big data related ulf mattsson
Who is the next target and how is big data related ulf mattsson
 

More from DamaineFranklinMScBE

Digital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDigital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDamaineFranklinMScBE
 
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...DamaineFranklinMScBE
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksDamaineFranklinMScBE
 
Classical Cryptography and Digital Encryption
Classical Cryptography and Digital EncryptionClassical Cryptography and Digital Encryption
Classical Cryptography and Digital EncryptionDamaineFranklinMScBE
 
Identity, Authentication, and Access Control
Identity, Authentication, and Access ControlIdentity, Authentication, and Access Control
Identity, Authentication, and Access ControlDamaineFranklinMScBE
 
Is online education an effective replacement for traditional classroom teaching?
Is online education an effective replacement for traditional classroom teaching?Is online education an effective replacement for traditional classroom teaching?
Is online education an effective replacement for traditional classroom teaching?DamaineFranklinMScBE
 
What is The Role of Students in Online Courses?
What is The Role of Students in Online Courses?What is The Role of Students in Online Courses?
What is The Role of Students in Online Courses?DamaineFranklinMScBE
 

More from DamaineFranklinMScBE (14)

Digital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and UnicafDigital Forensics Assignment One UEL and Unicaf
Digital Forensics Assignment One UEL and Unicaf
 
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
LEGAL AND REGULATORY STRUCTURE PREVAILING IN THE UK RELATED TO DATA PRIVACY A...
 
Security Management
Security ManagementSecurity Management
Security Management
 
Security Management
Security ManagementSecurity Management
Security Management
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
 
Classical Cryptography and Digital Encryption
Classical Cryptography and Digital EncryptionClassical Cryptography and Digital Encryption
Classical Cryptography and Digital Encryption
 
Identity, Authentication, and Access Control
Identity, Authentication, and Access ControlIdentity, Authentication, and Access Control
Identity, Authentication, and Access Control
 
ebay_data_breach
ebay_data_breachebay_data_breach
ebay_data_breach
 
Ebay cyber attack
Ebay cyber attackEbay cyber attack
Ebay cyber attack
 
Is online education an effective replacement for traditional classroom teaching?
Is online education an effective replacement for traditional classroom teaching?Is online education an effective replacement for traditional classroom teaching?
Is online education an effective replacement for traditional classroom teaching?
 
What is The Role of Students in Online Courses?
What is The Role of Students in Online Courses?What is The Role of Students in Online Courses?
What is The Role of Students in Online Courses?
 
Case Study.pdf
Case Study.pdfCase Study.pdf
Case Study.pdf
 
IT & Internet Law
IT & Internet LawIT & Internet Law
IT & Internet Law
 
IT and Internet Law
IT and Internet LawIT and Internet Law
IT and Internet Law
 

Recently uploaded

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfChris Hunter
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 

Recently uploaded (20)

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 

Computer Security - Case Study

  • 1. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 1 UEL-CN-7016 Computer Security Assessment 1 A Cyber Security Case Study eBay Data Breach February 2014 Damaine Fabion Franklin Student #: R2104D12054733 08/26/2023
  • 2. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 2 Table of Contents Abstract ........................................................................................................................................................................3 Introduction .................................................................................................................................................................3 Literature Review........................................................................................................................................................4 The Fundamental Aspects of Computer Security.................................................................................................4 Defining Computer Security?.............................................................................................................................5 The Principles of The CIA Triad & AAA..........................................................................................................5 Principles of Access Controls..............................................................................................................................8 Principles of Data Protection............................................................................................................................10 An Overview of the eBay Data Breach ................................................................................................................11 Discussion and Analysis ............................................................................................................................................12 The Incident ...........................................................................................................................................................12 Threat Actors & Motives ......................................................................................................................................12 Attack Vector.........................................................................................................................................................13 Exploited Vulnerabilities.......................................................................................................................................14 Recommendations......................................................................................................................................................17 Authentication and Access Control......................................................................................................................17 Adequate Encryption.............................................................................................................................................17 Network Defense....................................................................................................................................................18 Security Awareness Training................................................................................................................................19 Conclusions ................................................................................................................................................................19 References ..................................................................................................................................................................21
  • 3. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 3 Abstract This cyber security case study seeks to provide a comprehensive analysis of the data breach incident that occurred on the e-commerce trading platform eBay in February 2014. The data breach compromised the personal and identifiable information of 145 million eBay customers, including their usernames, encrypted passwords, dates of birth, names, addresses, and phone numbers. The cyber incident led to a widespread investigation which revealed that a hacktivist group calling themselves “Syrian Electronic” claimed responsibility for the attack, however, eBay did not confirm it. eBay’s reputation was significantly damaged because of this attack and the company suffered major financial losses due to reduced levels of e-commerce traffic caused by the security breach. Consequently, the subsequent headings will uncover additional details concerning this cyber incident. Introduction According to a report published by the Ponemon Institute in 2015, the events of the year 2014 witnessed a notable occurrence of significant cybersecurity breaches and attacks against major companies in the United States. The magnitude of the attacks varies among companies such as Target, Sony Pictures, JPMorgan Chase & Co, Home Depot, Staples, Nieman Marcus, Michaels Stores, eBay, and CHS Community Health Systems (Ponemon Institute, 2015). In the context of this case study, the cyber incident under investigation is the data breach that occurred at the e-commerce trading platform eBay in 2014. According to Roberts (2018), In March 2014, 145 million eBay user accounts were compromised due to a spear-phishing campaign. Subsequently, eBay announced that the breach exposed its customers' personal and identifiable information such as their names, email addresses, physical addresses, phone numbers, and date
  • 4. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 4 of birth. The impact of this data breach caused much concern regarding identity theft, and as a result, the company received widespread criticism over its handling of the incident, especially when it was disclosed that customers' personal and identifiable information was not secured with encryption (Roberts, 2018). In another report, IvyPanda (2020), stated that due to the severity of the cyber incident, eBay advised all its customers to urgently change their user credentials in order to prevent being hacked. Even though the financial data of eBay’s customers was not compromised, Roberts (2018) argued that eBay should have applied the same level of security to customers' data as it did to their financial data. The damage to eBay’s reputation was significant and it cost the company approximately $300 Million. According to both Roberts (2018) and IvyPanda (2020), the evidence seems to suggest that the attackers were primarily interested in the theft of customer’s personal information and not their financial data. Literature Review The Fundamental Aspects of Computer Security As business becomes increasingly reliant on the use of computer systems to enhance the management and automation of their business operations, the more computer security becomes vital to their business needs. As a result, businesses that lack adequate security controls to defend against security risks and cyber threats are vulnerable to attacks. Considering this fact, the remainder of this section will further elaborate on the fundamental aspects of computer security, beginning with a concise definition of computer security, followed by a discussion on the principles of the CIA Triad. Then a brief discussion on the AAA security framework and the role it plays in network management. It then explores data protection mechanisms such as cryptography and hashing algorithms. Followed by the principles of access control and
  • 5. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 5 subsequently, it describes the realms of cybersecurity and how it can be useful in determining an effective incident response. Defining Computer Security? The concept known as computer security has been studied extensively and based on the reviews of several publications there does not appear to be a singular accepted definition of the term. However, in a 1984 publication, author R. C. Summer defined computer security as the concepts, techniques, and measures that are used to protect computing systems and the information they maintain against intentional or unintentional threats. In a more recent study, Sutton (2017) presents a comprehensive definition of the term by stating that computer security concerns the series of tools, methodologies, practices, standards, and policies that can be adopted to prevent or mitigate cyber threats and cybercrime such as identity theft, intellectual property theft, fraud, extortion, espionage, terrorism, and other internal and external factors that are security threats. With this understanding, the broadest sense of the term may be defined as the prevention and detection of unauthorized actions by users of a computer system (Shipsey, 2009). The Principles of The CIA Triad & AAA According to Bishop (2018), the principles of the CIA triad (Confidentiality, Integrity, and Availability) serve as the foundation of computer security and form the basis for the development of security systems. The author noted that the interpretation of each element of the CIA triad is contingent on a variety of factors, such as an organization's requirements, its environment, its customers, and the laws that govern the organization. Each element will be discussed and how they relate to computer security.
  • 6. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 6 A. Confidentiality According to information obtained from Fortinet (2023), confidentiality in computer security refers to the mechanism used to safeguard sensitive data from unauthorized access, copying, sharing, and dissemination. Confidentiality of sensitive data on a computer system may be compromised by attack vectors such as man-in-the-middle attack whereby an attacker intercept and captures unencrypted data between a client and a server. A mechanism that supports confidentiality is access control which designates who is permitted or denied access to certain data, applications, or resources (Fortinet, 2023). Another mechanism which supports confidentiality is cryptography which converts plaintext data into unreadable cyphertext. The other is authentication and authorization which explicitly verifies the identity of users and ensures that these users are granted the appropriate level of access (Fortinet, 2023). B. Integrity Integrity in computer security refers to the mechanisms put in place to ensure that while data is at rest or in transit it is trustworthy and not tampered with (Fortinet, 2023). Data integrity is an important principle in computer security since it ensures the authenticity, accuracy, and reliability of the data. According to Fortinet (2023), data integrity may be compromised intentionally by insiders, unintentionally by someone making an honest mistake or by the consequences of inadequate computer security policies, protections. The mechanism used to ensure data integrity are nonrepudiation methods, hashing algorithms, cryptography, and digital signatures (Fortinet, 2023).
  • 7. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 7 C. Availability According to Fortinet (2023), Availability in computer security refers to the mechanisms put in place to ensure that access to data and information systems is consistent and readily available to individuals with authorized access. This implies that all systems, networks, and applications must be functional and readily available at expected and at the appropriate times. Furthermore, data availability is an important element in computer security since it ensures business continuity and network redundancy within an organization. Without data availability, the confidentiality and integrity of data is meaningless (Fortinet, 2023). The most common threats to data availability are natural disasters, power outage, inadequate disaster recovery systems, and through intentional acts such as a denial-of-service attack (Fortinet, 2023). Data availability may be ensured through the implementation of multiple paths for network traffic to flow, uninterruptible power supplies, and a disaster recovery plan (Fortinet, 2023). D. Authentication Authorization & Accounting In the preceding discussion, it was noted that the principles of the CIA triad serve as the foundation of computer security. Similarly, according to Rensing et al. (2002), the principles of the AAA security framework work together to fulfill the objectives of computer security. According to Rensing et al. (2002), the initial letter in a sequential order denotes Authentication, which pertains to the process of verifying the identity of a user accessing a computer system. With Authentication users of a computer system must prove who they say they are by providing either of the authentication factors (something you know, something you have or something you are). The second letter denotes Authorization, which according to Rensing et al. (2002), refers to granting the appropriate levels of access to users of a computer system in accordance with their
  • 8. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 8 credentials. The authors noted that, Authorization is directly linked to the principles of least privilege, which states that users, devices, databases, and applications should be granted just enough permission to perform their designated tasks or functions (Rensing, et al., 2002). The letter "A" in the acronym signifies Accounting, which, as stated by Rensing et al. (2002), is a crucial component in computer security because its primary function involves monitoring and recording user activities while accessing a computer system. Accounting can prove to be highly beneficial when accessing systems logs for cyber incidents and valuable in forensic investigation (Rensing, et al., 2002). Principles of Access Controls According to Vimercati, et al. (2002), the proliferation of information technology and the widespread use of computer systems for collecting, retrieving, and sharing data has increased the need for enforcing information security measures. Such measures ensure the protection of data against unauthorized access, and modification, as well as the guarantee of its availability to legitimate users. In the context of an organizational setting, it is imperative that all employees are granted access to systems resources. However, it is equally important to acknowledge that not all employees will be granted equal levels of access to those resources. In a book titled “Fundamentals of Computer Security,” the authors explained that the objects within a computer system have a well-defined collection of access operations that specify how a subject can manipulate an object. Such operations entail functions such as read, write, execute, view, modify, or full control among others (Pieprzyk, et al., 2003). The authors noted that, within a computer system, a subject or user is usually granted specific access operations to perform designated tasks. This is what Pieprzyk, et al. (2003) describes as access privilege, permission, or
  • 9. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 9 access control. The primary purpose of access control according to Vimercati, et al. (2002) and Mudarri (2015), is to control access to a system and its resources by limiting the operations of a subject to ensure that only authorized access can occur. In an access control illustration taken from Pieprzyk, et al. (2003), the authors stated whenever a subject wishes to access an object to perform some specific operation (read, write, execute, etc.), the access control checks whether the subject has the corresponding access permissions to the object. If the subject holds the appropriate permissions, access is granted, otherwise it denies access to the object. Pieprzyk, et al. (2003), added that the management of access rights is based on the established regulations or policies of an organization. This means that a subject may fall in the access control list of either Mandatory, Discretionary, or Role-based access control. According to Mudarri (2015), subjects with mandatory access control are granted security clearance to objects with hierarchical levels of security sensitivity, which is either secret, top secret, unclassified, or confidential. In other words, a subject will only be required to access certain objects if he or she possesses the necessary security clearance. Discretionary access control, on the other hand, grants the subject complete control over an object and allows it to designate access permissions at its own discretion (Mudarri, 2015). In addition, role-based access control grant access to specific resources based on the subject's assigned role. This means that the subject is assigned to a role and the object is assigned to a group. Therefore, the subjects are granted access based on the assigned role, however, the access rights are based on the group where the object resides. Of the three categories of access control, role-based access control is the most common and most secure employed by organizations.
  • 10. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 10 Principles of Data Protection Another fundamental aspect of computer security is the principles of cryptography, which aims to facilitates and guarantee data confidentiality, integrity, authentication, and non- repudiation (Vacca, 2009, p. 30). According to Liu (2009), the fundamental principle of cryptography is predicated on the concept of encryption and decryption. The author explained that encryption occurs when readable plaintext data is converted into unreadable ciphertext using an algorithm called a cipher. In addition, the purpose of encryption is to ensure that information is hidden from anyone for whom it is not intended. In contrast to encryption, decryption occurs when the ciphertext is converted back to its original plaintext. According to Kessler (2006), there are three categories of cryptographic schemes used to achieve its objectives, namely: asymmetric cryptography (public key), symmetric cryptography (private key) and hashing functions. The author explained that with Symmetric encryption both the sender and receiver of a message share a single private key, which is used to encrypt and decrypt the message. The strength of the encryption is dependent on the cipher used, which can be AES, RSA, Triple DES, or Blowfish. Furthermore, Kessler (2006) explained that asymmetric encryption employes the use of two keys, a private key for encrypting plaintext data and a public key for decrypting cyphertext data. Accordingly, Kessler (2006) noted that hashing functions uses no public or private key since the plaintext data is not recoverable from the ciphertext. Instead, a hashing function is used to convert the plaintext of any length into a hashing value of a fixed length known as a message digest. According to the author, the hash function guarantees that if the information is altered in any way, a completely different output value will be generated. The resulting output value cannot be reversed to determine the original data.
  • 11. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 11 An Overview of the eBay Data Breach According to Balushi (2015), not enough scholarly and peer reviewed research has been conducted on the data breach that eBay encountered. Consequently, this study relied on news articles, reports, and website articles from reputable outlets. According to CNBC (2014), eBay had announced that hackers intruded their network, accessed, and compromised the user accounts of 145 million of its customers. The report found that the hackers only compromised customers’ personal and identifiable information but not their financial data which was encrypted and stored differently. CNBC News further added that the success of the attack was found to be the compromised credentials of a small number of eBays employees. After they gained access, Kelly (2014) noted that the hackers further gained access to the entire database of eBays platform. As a result of the severity of the incident eBay advised its customers that they should change their credentials to avoid being hacked. Following the discovery of the incident, three American states Connecticut, Illinois and Florida has launched a federal investigation into the matter (CNBC, 2014). Based on the number of accounts compromised, CNBC reported that the incident has gained reputation as one of the biggest breaches in history.
  • 12. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 12 Discussion and Analysis The Incident According to Balushi (2015), between late February and early March, eBay experienced a data breach that compromises the personal and identifiable information of 145 million of its customers. Due to the severity of the attack, eBay notified its customers via email on May 21, 2014, that they should immediately change their passwords informing them of the potential compromised (Balushi, 2015). During that, it was reported that a major flaw was discovered with eBays poor response to its customers is that. The report found that eBay at the time of discovery had no warning notice set on its website and its customers were notified just two weeks after they became aware of the incident (The Available Digest, 2014). Threat Actors & Motives According to IvyPanda (2020), there were several speculations regarding the motives of the people who hacked eBay and what they wanted to achieve. Based on the method of the attack and what was compromised it had been suggested that the attackers could have only wanted to undermine the authority of eBay and damage their reputation. An assertion surrounding this argument lies in the fact that eBay has always been one of the world’s foremost and largest online marketplaces, which enable user to buy, sell, trade and conduct transactions online (eBay, 2014). Another suggestion is that this attack could be an attempt just to show eBay that their systems are vulnerable, unsafe, and easily damaged. Regardless of the motive of the cybercriminals, an interesting fact that came out of this attack is that the attackers had sufficient time at their disposal to avoid getting caught. As a result of this attack, millions of eBay’s
  • 13. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 13 customers lost their personal and identifiable information, making it one of the most famous cyber-attacks in 2014 (IvyPanda, 2020). After the attack, eBay’s hired a forensic investigation firm to help investigate the incident. A hacktivist group calling themselves “Syrian Electronics Army” claimed responsibility for the attack how it has not been confirmed by eBay (Paganini, 2014). Attack Vector According to Singh (2020), the credentials of three eBay employees were compromised, allowing the hackers to access eBay's internal network and exfiltrate unencrypted customer personal and identifying data. It had been presumed by several authors that the attack method used to obtain the login credentials had been by a spear phishing attack. This assertion is supported by Sigh (2020) who believes that phishing attacks is one of the most common ways the passwords of eBays employees could have been stolen, given that people typically use the same password across platforms. In addition, eBay warned its customers to anticipate an increase in fraudulent phishing emails in the aftermath of the attack (The Available Digest, 2014). Furthermore, Al Pascual a recognized security analyst on cybercrime stated that the employees’ credentials were likely compromised by a spear phishing attack (Roman, 2014). Based on the evidence, phishing remains the identified threat vector that led to the data breach at eBay. After compromising the stolen credentials, the attackers used them to infiltrate eBay's internal network. Once inside the network, they remained undetected for more than two months according to Roman (2014). The fact that the attack against eBay was carried out using legitimate employee credentials made it that much more difficult to detect (Singh, 2020).
  • 14. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 14 Exploited Vulnerabilities Although eBay stated that the data breach was caused by the compromised passwords of three of its employees, several other vulnerabilities were discovered by third parties after the breach was made public. According to Paganini (2014), the vulnerabilities identified were: cross- site scripting (XSS), uploaded shell on eBay server, and Account Hijacking. According to Paganini (2014), eBay had been notified on multiple occasions of the presence of a potentially dangerous cross-site scripting vulnerability on its auction webpage. Despite multiple attempts to notify eBay, Paganini (2014) discovered that the company did not take any action to patch the vulnerability throughout that period. The author stated that this vulnerability would allow an attacker to carry out an XSS attack, wherein they can inject malicious HTML or JavaScript codes into a legitimate webpage. This code according to author would contain a payload which when visited would redirect eBays customers to a phishing login page to steal their user’s credentials. According to Vaas (2016), the identification of a XSS attack on eBay’s auction webpage by its consumers would have posed a challenge, as it would have required a thorough examination of the URL and a certain level of technical expertise to understand the appearance of html or JavaScript elements. The second vulnerability discussed by Paganini (2014), involved the use of a backdoor shell which was discovered on eBays website. The author noted that this vulnerability could allow an attacker to upload a backdoor shell on eBay’s web server with the aim to control it. The third vulnerability found was account hijacking which was discovered after eBay made their public disclosure of the incident (Paganini, 2014). The author noted that this attack exploited eBays forget password feature, allowing the attackers to hijack millions of user accounts. According to Khandelwal (2014), this vulnerability was
  • 15. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 15 reported to eBay after the data breach had occurred in May 2014. The author explained that the attacker would first submit a forgotten password request to eBay by entering the victim’s email or username. eBay then responds via email with a password reset page which is visible to both the attacker and the victim. After the victim provides his or her email and presses submit, eBay then responds with another email with a password reset link associated with the victim’s email which is only visible to the victim and not the attacker. Upon clicking the password reset link, the victim is redirected to an eBay webpage that offers the option to set a new password. The user is required to enter this new password twice and afterwards submit it in order to successfully reset their eBay account password. According to Khandelwal (2014), the attacker intercepts the change password request sent by the victim, then forwards a malicious change your password link to the intended victim disguising it as a legitimate response from eBay. When the user clicks on that link and changes his or her password it is visible to the attacker. Figure 1: eBay's Account Hijacking vulnerability (Khandelwal, 2014)
  • 16. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 16 There was also a fourth vulnerability which Paganini (2014) also discussed. The author noted that eBay allows its customers to reuse the same login cookies even if they are logged out or have reset their password. This poses a security risk as the attackers could harvest those cookies and exfiltrate their login credentials. In a separate article, Singh (2020) discussed additional vulnerabilities that may have contributed to the success of the eBay data breach. The author noted that prior to the attack, eBay lacked basic security features such as two factor authentication. Singh (2020) argued that if eBay had implemented 2FA then the data breach would not have been possible as the attackers easily gained access to eBay’s internal network and co promised sensitive information. Furthermore, according to Singh (2020), the lack of awareness training presents a vulnerability that can be exploited by attackers. The author stated that eBays reputational damage, trust and millions of dollars could have been averted if its employees were trained on how to identify basic cyber threat tactics. Singh (2020) highlights a further significant vulnerability, wherein despite the fact that eBay had a functioning firewall, it proved insufficient in detecting the data breach in a timely manner. The author argued that eBay had been unable to detect the network intrusion for more than two months, during which time the attackers had already made significant progress in its network. Such a flawed detection system provided the attackers with sufficient time they needed to gain access to eBay’s system and exfiltrate all the data they wanted. In the aftermath of this attack, Singh (2020) noted that customers' trust in eBay had diminished, primarily because eBay lacked the necessary controls to safeguard their personal and identifiable information, which was likely to result in identity theft.
  • 17. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 17 Recommendations One of the primary failures observed in the eBay data breach incident pertains to the organization's inability to detect the intrusion in a timely manner. Additionally, there was a deficiency in the implementation of adequate protective measures to safeguard customer sensitive information, and a failure to fulfill the responsibility of notifying affected customers about the incident, thereby impeding their ability to take necessary steps to secure their sensitive data. As a result, this section’s aim is to recommend several preventative measures based on the vulnerabilities identified in the eBays data breach incident. A. Authentication and Access Control According to Singh (2020), eBay lacked adequate authentication protocols such as two factor authentication at the time of the attack. The author argued that if eBay had implemented two-factor authentication, it would have made it more difficult for the attackers to gain access to its internal network because two factor authentication adds an additional layer of security to the login process. The second factor may include something you such as an extra password or pin, something you possess such as an RSA token, or something you inherit such human biometrics. B. Adequate Encryption The incident analysis revealed that the primary reason the attackers were unable to compromise and exfiltrate sensitive financial data was because it was encrypted and stored on a distinct server. This proves that adequate encryption proves to be effective in ensuring data confidentiality and preventing unauthorized access. From this incident, it was discovered that
  • 18. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 18 eBay did not secure its customers sensitive data with encryption. If eBay had done were protected with robust encryption, it would be difficult for an attacker to obtain access and compromise 145 million customers sensitive information. Data encryption involves the utilization of both a public and private key to ensure the security of the information. Without possessing the appropriate key, decryption of the data becomes unattainable, hence maintaining data confidentiality and preventing unauthorized access. Even though some attackers will attempt to access confidential messages without the correct key, it will take so long to locate the correct key that it becomes practically impossible. C. Network Defense According to Singh (2020), even though eBay had a functioning firewall to defend its network, it proved insufficient in detecting the data breach in a timely manner. The author argued that eBay had been unable to detect the network intrusion for more than two months, during which time the attackers had already made significant progress in its network. Such a flawed detection system provided the attackers with sufficient time they needed to gain access to eBay’s system and exfiltrate all the data they wanted. While the implementation of firewalls, when appropriately configured, enhances network security, eBay's network could have been further fortified by incorporating other measures such as an intrusion detection system, an intrusion prevention system, or a honeypot to mitigate unauthorized access. The implementation of additional network defense measures would enhance eBay’s ability to detect a network intrusion in a timelier manner, given that the attackers were present on eBay’s network for more than two months. These additional controls would also assist eBay in responding to cyber threats proactively and prioritize resources accordingly.
  • 19. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 19 D. Security Awareness Training Implementing comprehensive security awareness training is an effective strategy for protecting an organization's data, applications, and network against risks and malicious cyber threats. According to Singh (2020), the lack of awareness training presents a vulnerability that can be exploited by attackers. The author stated that eBays reputational damage, trust and millions of dollars could have been averted if its employees were trained on how to identify basic cyber threat tactics. By far the most important lesson learned from the eBay data breach is the need to establish a security culture that involves all employees. Security awareness training are an effective way of teaching employees about the tactics used in phishing and social engineering scams. Conclusions In conclusion, the data compromise that occurred at eBay between late February and early March, 2014 resulted in severe damaged the company's reputation, and according to multiple sources, it was among the most severe attacks in the history of the Internet (IvyPanda, 2020). The existing security controls implemented by eBay were not sufficient enough to prevent the intrusion as the attackers were able to easily access its internal network and remain undetected for more than two months. If eBay had more resilient and proactive security controls in place to detect and respond to the incident sooner, the incident could have been avoided. Although, the financial information of eBays customer were not compromised, the reputational damage is so significant that its customers have lost trust in the company to secure their sensitive data. Based on the findings of Roberts (2014), eBay incurred an approximate financial loss of $300 million as a result of the data breach. To mitigate the risk of future attack, it is imperative
  • 20. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 20 that eBay implements robust security controls for preventing unauthorized access to it internal network and sensitive customer data.
  • 21. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 21 References Balushi, B. M. A., 2015. An Analysis of eBay's Communication Resposnse to the Hacking Crisis and the Impact on Users Trust and Behavioural Intentions. International Journal of Arts & Sciences,, 8(7), pp. 161-199. Bishop, M., 2018. Computer Security Art and Science, 2nd Edition. In: Chapter 1: An Overview of Computer Security. s.l.:Addison-Wesley Professional, pp. 257-258. CNBC, 2014. Hackers raid eBay in historic breach, access 145M records, s.l.: CNBC News. eBay, 2014. eBay Inc. To Ask eBay Users To Change Passwords. [Online] Available at: https://www.ebayinc.com/stories/news/ebay-inc-ask-ebay-users-change-passwords/ [Accessed 25 August 2023]. Envision IT Solutions, 2022. What is Two-Factor Authentication and its Advantages. [Online] Available at: https://blog.envisionitsolutions.com/what-is-two-factor-authentication-and-its- advantages [Accessed 27 August 2023]. Fortinet, 2023. CIA Triad. [Online] Available at: https://www.fortinet.com/resources/cyberglossary/cia-triad [Accessed 22 August 2023]. Gilbert, J. O., 2014. eBay Hacked, Urges All Members to Change Passwords Immediately. [Online] Available at: https://finance.yahoo.com/news/ebay-hacked-urges-all-members-to-change- passwords-86405258249.html [Accessed 25 August 2023]. IvoryResearch, 2021. Information Systems Strategy Analysis of eBay Company. [Online] Available at: https://www.ivoryresearch.com/samples/information-systems-strategy-analysis-of-
  • 22. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 22 ebay-company/ [Accessed 21 August 2023]. IvyPanda, 2020. Cyber Attack on eBay Company: The Summer of 2014 Report. [Online] Available at: https://ivypanda.com/essays/cyber-attack-on-ebay-company-the-summer-of-2014/ [Accessed 25 August 2023]. IvyPanda, 2020. Cyber Attack on eBay Company: The Summer of 2014.. [Online] Available at: https://ivypanda.com/essays/cyber-attack-on-ebay-company-the-summer-of-2014 [Accessed 21 August 2023]. Khandelwal, S., 2014. Hacking any eBay Account in Just 1 Minute. [Online] Available at: https://thehackernews.com/2014/09/hacking-ebay-accounts.html [Accessed 26 August 2023]. Liu, D., 2009. Chapter 3 - An Introduction To Cryptography. In: Next Generation SSH2 Implementation. s.l.:Syngress, pp. 41-64. Montalvo, M., 2022. What Is The Driving Force Of Successful Business Automation?. [Online] Available at: https://www.forbes.com/sites/forbesbusinesscouncil/2022/05/19/what-is-the- driving-force-of-successful-business-automation/ [Accessed 22 August 2023]. Mudarri, T., 2015. Security Fundamentals: Access Control Models. International Journal of Interdisciplinarity in Theory and Practice, pp. 259-262. Paganini, P., 2014. Ebay and PayPal hacked by Syrian Electronic Army, “For denying Syrian citizens the ability to purchase online products” said SEA.. [Online] Available at: https://securityaffairs.co/21838/hacking/ebay-paypal-hacked-syrian-electronic- army.html [Accessed 26 August 2023].
  • 23. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 23 Paganini, P., 2014. Security experts have discovered three new critical eBay vulnerabilities, the privacy and data of more than 145 million users is still at risk.. [Online] Available at: https://securityaffairs.com/25177/hacking/critical-ebay-vulnerabilities.html [Accessed 26 August 2023]. Pieprzyk, J., Hardjono, T. & Seberry, J., 2003. Chapter 17: Access Control. In: Fundamentals of Computer Security . s.l.:Springer-Verlag Berlin Heidelberg, pp. 565-589. Ponemon Institute, 2015. 2014: A Year of Mega Breaches, Traverse City: Ponemon Institute© Research Report . Rensing, C., Karsten, M. & Stiller, B., 2002. AAA: A Survey and aPolicy-Based Architecture and Framework. IEEE Network, 16(6), pp. 22-27. Roberts, S., 2018. Learning lessons from data breaches. Network Security , 2018(11), pp. 8-11. Roman, J., 2014. eBay Breach: 145 Million Users Notified. [Online] Available at: https://www.bankinfosecurity.com/ebay-a-6858 [Accessed 26 August 2023]. Shipsey, R., 2009. Computer Security . In: Chapter 1: Security . London: University of London, p. 1. Singh, G., 2020. eBay 2014 data breach: With Big Data comes Big Responsibility. [Online] Available at: https://www.skillsire.com/read-blog/266_ebay-2014-data-breach-with-big-data- comes-big-responsibility.html [Accessed 26 August 2023]. Summers, R. C., 1984. An overview of computer security. IBM Systems Journal, 23(4), pp. 309- 325. The Available Digest, 2014. eBay’s Slow Response to Data Hack, s.l.: Sombers Associates, Inc., and W. H. Highleyman.
  • 24. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 24 Vacca, J. R., 2009. Chapter 2: Data Encryption. In: Cyber Security and IT Infrastructure Protection. s.l.:Elsevier Science & Technology, pp. 1-46. Vimercati, S. D. C., Paraboschi, S. & Samarati, P., 2002. Access Control: Principles and Solutions. Software Practice and Experience, 2(12), pp. 1-7.
  • 25. A Cyber Security Case Study: eBay Data Breach 2014 DAMAINE FRANKLIN 25