Customers of auction site eBay in Singapore could be getting spam mail about prizes they have supposedly won or auction items they never bid on because of a major data breach of eBay's corporate network that the site revealed on Wednesday.
Singapore's Personal Data Protection Commission (PDPC) said people who believe their information has been stolen should lodge a report with the police to determine if an offence has been committed under the Computer Misuse and Cybersecurity Act. The commission told The Straits Times yesterday that it was "monitoring the situation closely".
Cyber criminals stole eBay customers' personal data, including names, encrypted passwords, phone numbers, e-mail addresses, home addresses and dates of birth.
eBay said on its corporate website that customers' financial or credit card details were not accessed. Account data from its online payment subsidiary PayPal were unaffected, too.
However, the company advised all customers to change their eBay passwords, which should not be the same as those for other online accounts.
It did not say exactly how many people were affected, but the firm said a large number of accounts might have been compromised, and it was "applying additional security" to protect customers.
The theft occurred between late February and early March, but eBay found out only about two weeks ago.
In the first quarter of this year, eBay had 145 million active buyers globally. In 2007, reports said the local version of eBay had over 16 million page views a month and more than 4,000 sellers.
The PDPC and Infocomm Development Authority of Singapore have not received any complaints over the eBay incident as of 6pm yesterday.
From July 2, organisations that collect, use or disclose personal data here have to comply with provisions under the Personal Data Protection Act, or face fines of up to $1 million. Provisions include having reasonable security measures to protect data.
Getting hold of even non-financial data is useful, said cybersecurity experts.
Sophos senior security adviser Paul Ducklin said e-mail addresses could be sold to spammers, so spam volume could increase slightly.
"Physical addresses and phone numbers could be useful on bogus application forms, or when trying to trick someone over the phone," said Mr Ducklin, adding that birth dates are still used by financial institutions to cross-check customer identities.
Mr Ducklin said a long and complex password - like one that has 14 characters and is well jumbled - should hold out for two months, provided measures are in place to scramble it.
Holding eBay log-in details, cybercrooks could pose as users to put in bids they could pocket, on the chance that victims reused their credentials in PayPal accounts for auction payments, said Ms Macky Cruz, the security focus lead at Trend Micro. She said eBay customers should monitor their online activities and be alert to strange transactions. Those who have trouble remembering multiple passwords for different accounts could use password managers to use one strong password to manage their accounts, added Ms Cruz.
The eBay breach comes after reports of other data breaches in recent months.In December, Standard Chartered in Singapore said 647 private banking clients' statements were stolen from a server at Fuji Xerox, which prints private bank statements for the bank. Globally, there were eight data breaches last year exposing more than 10 million identities each, a jump from one case in 2012, IT security firm Symantec said in an April report.
Aviation executive Aman Singh, 27, said he was shocked by eBay's breach. "I am apprehensive about using eBay again. If someone can hack into it, it can happen again, so I don't feel comfortable using it."
