Major e-security breaches have become depressingly commonplace among major companies: When eBay announced that attackers had compromised an internal database loaded with customer passwords (still encrypted, the company insisted) and personal data, many people seemed to greet the news with a shrug. After all, this past holiday season saw Target and other major retailers hit with similar thefts.
While eBay has admitted the breach, the company seems to be taking a relatively low-key approach to getting users to change their passwords. “Because your password is encrypted (even we don’t know what it is), we believe your eBay account is secure,” read a note linked to eBay’s homepage. “But we don’t want to take any chances. We take security on eBay very seriously, and we want to ensure that you feel safe and secure buying and selling on eBay. So we think it’s the right thing to do to have you change your password.”
But there’s a crucial difference between politely requesting a password change (especially via a link that some website visitors might not even bother to click) and forcing customers to create a new password the next time they sign in. While the latter might irritate some people, few will likely quit the service over something so minor; in fact, the majority would probably be thankful for eBay’s diligence.
However, eBay’s note doesn’t include a streamlined “change your password now” link, requiring users to go through the multi-step process to lock down their account. (CNET offers a handy guide to those steps.)
While this breach is unlikely to wreck eBay’s fortunes in the long term, the criticisms leveled at the company’s approach to post-attack security could be leveraged into some useful tips for any firm facing its own hacking crisis.
Let Your Customers Know Immediately: Again and again, one of the biggest criticisms leveled against companies suffering a security breach is that they didn’t let their customers know as soon as possible. Even eBay allowed rumors of a breach to circulate for hours before it released any sort of official statement. Posting a note on a homepage is a necessary step, but it shouldn’t be the only one: By emailing customers with news of the breach, a company can ensure that even infrequent website visitors know there’s a situation.
But Have a Plan: The only thing worse than a breach is an indecisive response. Once a company’s made an official announcement, it should stick to the repair plan outlined in that announcement.
Make It Easy to Change a Password: Either force customers to change their password the next time they log in, or provide a prominent link that allows them to change their password in one or two quick steps.
Offer Updates: A lack of information is nobody’s friend. Frequent updates about the situation on an official blog and social media can go a long way toward repairing the relationship between company and customers.
Unfortunately, massive breaches seem to have become more frequent in recent months. In light of that, it’s important for every company to have a plan in place for cleaning up the aftermath of an attack.
- The Out-of-Channels Project That Turned eBay Around
- How the Target Breach Could Affect Retail Analytics
- Survey: Certifications Are Key to Security Salaries
Image: Wikimedia Commons