- eBay suffers cyber-security incident potentially impacting more than 100 million users
- The company was aware of the incident for ‘about two weeks’ before notifying the affected individuals
- As the Privacy Act presently stands, an organisation is not bound to notify affected individuals of a serious data breach involving their personal information
- A bill currently before the Federal Parliament, if passed, will require organisations regulated by the Privacy Act to provide notice of a serious data breach to the Australian Information Commissioner and the affected individuals as soon as practicable after it believes on reasonable grounds that there has been a serious data breach
eBay suffers cyber-attack
Yesterday, eBay Inc (eBay) issued a press release,1 stating that, between late February and early March this year, a cyber-attack involving a ‘small number of employee log-in details’ occurred which compromised a database containing the name, encrypted password, email address, physical address, phone number and date of birth of an unspecified number of eBay users. Media reports have variously indicated that eBay has between 110 million and 145 million active users all of whom may have been affected by the cyber-attack. The company has said it has known about this security incident for ‘about two weeks’.
eBay has asserted that, after conducting extensive tests on its network, it has no evidence of any fraudulent eBay account activity or of unauthorised access to financial or credit card information. The company has publically urged its users to change their passwords and says, in the coming days, it will use email, site updates and other marketing channels to request all users to do so.
Australian Privacy Act implications
The Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (PrivacyAct) extend to an act done, or practice engaged in, outside Australia by an organisation that ‘carries on business in Australia’ (s 5B(3) of the Privacy Act). The APP Guidelines2 issued by the Office of the Information Commissioner (OAIC) provide examples where, despite having no physical presence in Australia, an organisation may nonetheless be carrying on business in Australia. One of the examples provided is an organisation that has a website offering good or services to countries including Australia.
eBay is reported to have more than 8 million Australian users. APP 11 requires organisations to take reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification and disclosure. However, we emphasise that, while eBay is bound to comply with the APPs, the occurrence of this security incident does not automatically or of itself mean that eBay has breached APP 11.
In April 2011, the Sony group became aware of the unauthorised access of the personal information (including, in some cases, credit card details) of approximately 77 million customers of the Sony PlayStation Network Platform. The Australian Privacy Commissioner (now called the Information Commissioner) commenced an investigation into the security incident. Sony reported to the Privacy Commissioner that it employed a wide range of security safeguards to protect personal information. It was concluded by the Privacy Commissioner that ‘reasonable steps’ had been taken by Sony to protect the personal information held in relation to the network platform.
Interestingly, the Australian Privacy Commissioner expressed concern about the period of time, being 7 days, between Sony becoming aware of the incident and it notifying the affected consumers and the OAIC. In his report on the Sony incident, the Privacy Commissioner strongly advised Sony to review how it applied the OAIC’s Guide to handling personal information security breaches3 (Security Breach Guideline). The Security Breach Guideline indicates that, in general, if there is a real risk of serious harm as a result of a data breach, the affected individuals and the OAIC should be notified. Generally speaking, the more serious the threat, the earlier that the affected individuals and OAIC should be notified.
The Privacy Amendment (Privacy Alerts) Bill
Compliance with the Security Breach Guideline is not currently required under the Privacy Act. However, if passed, the Privacy Amendment (Privacy Alerts) Bill 2014 (PA Bill) currently before parliament will mean that organisations regulated by the Privacy Act will be required to provide notice of a serious data breach to the Information Commissioner and the affected individuals as soon as practicable after the organisation believes on reasonable grounds that there has been a serious data breach. eBay has indicated that the unauthorised access to its database was detected 'about two weeks ago'. Whilst in eBay’s case, no credit card or other financial information appears to have been accessed, on the information publically available at present, the threat of harm to the impacted individuals would seem arguably serious given that the categories of data accessed logically lead to identity theft concerns. It is also possible that an algorithm to unencrypt the eBay users’ passwords may be developed (or otherwise obtained) by the perpetrators of the cyber-attack. Whether or not eBay would have been able to justify the delay in notifying the affected individuals under a Privacy Act already amended by the PA Bill is an interesting, albeit hypothetical, question.