It seems a no-brainer that the recent massive eBay data breach should be a much bigger story than the Target breach. After all, the Target breach “only” affected 110 million customers where the eBay breach impacted closer to 150 million customers.
And while the Target breach might have only affected a handful of businesses, the eBay breach could have hurt millions of businesses, and mostly small. eBay is a global main street where all kinds of entrepreneurs buy and sell and trade and barter. Not only are those millions of businesses affected by the breach, but customers who shop on eBay might be a little more reluctant to shop there now. Or at least for a while.
And within just a week of the announcement of the breach, hackers were already selling the stolen eBay logins and passwords online for more than $30 per account.
Yet while the Target breach has turned out to be one of the biggest cybersecurity stories in history, one that has already cost the company billions of dollars in losses, eBay has skated by pretty unscathed so far. Apart from some expected media coverage and a handful of calls for investigations and inquiries, the outrage over eBay’s breach is nothing compared to the fallout for Target.
So why is that? A few reasons stand out:
While none of the records exposed in the eBay breach included credit or debit card numbers (at least as far as we know), more than 40 million credit and debit cards were exposed in the Target breach. And consumers assume that the breach of a credit or debit card is far more dangerous than the exposure of things like names, addresses, phone numbers and email addresses.
But in reality, the theft of a credit or debit card is far less risky. The banks assume and absorb most of the losses and the cards can be cancelled and replaced quickly. Consumers still don’t seem to realize the important difference, and so are more likely to fret and complain about the loss of a credit card than they are about more sensitive information.
In the Target breach, the media had a field day calculating how much it would cost the banks to replace all the exposed credit and debits cards, with many consumers assuming that they would be on the hook for the estimated hundreds of millions of dollars this massive recall would cost.
In the case of eBay, the only things that had to be cancelled and changed were passwords, and that’s not even a bad thing. eBay users should be constantly changing their passwords and this was a good opportunity to remind them.
There’s also the popularity card. Target may simply be a more popular brand than eBay, which could make it much tougher for customers to forgive them. Target is the second most popular retail brand in America. Fortune magazine ranks Target as #29 on its list of the world’s most admired of all companies while eBay comes in at # 44. The Reputation Institute ranks Target at #37 on its list of the top U.S. companies for trust, esteem, admiration and brand “good feeling”, but eBay barely makes it to the top 100. And while most consumers are very familiar with Target and might have shopped there at least once, millions of Americans have never even visited eBay’s website – let alone purchased from it.
So what does all this have to do with security?
Security and brand loyalty are all about trust. Breach either, and you’ll pay the price. Perception is important too. If your business exposes customer credit or debit card information as a result of a security breach, you’re less likely to be forgiven than if you expose their email addresses, even if a thief can do a lot more damage for a lot longer with an email address. Take the proactive step and reduce the chances of either outcome by equipping your site with security measures such as a malware scanner and a web application firewall.