Popular classified ads and community sale site Gumtree last week began the painstaking task of notifying its Australian users they’d been hacked, warning that personal data had been posted online.
At first glance, Gumtree seems to have done everything right, quickly notifying users, calling in the AFP and notifying the Privacy Commissioner as soon as the hack was confirmed.
The company said neither user passwords or payment details were stolen.
Names, email addresses and phone numbers of a "number" of individuals were taken, the company revealed, but argued these details were mostly already in the public domain, making it a relatively minor breach.
Playing down the severity of the attack, however, hasn’t stopped the Australian government’s online cyber security alert system, Stay Smart Online, reporting this as a high priority incident.
Are you really at risk?
Back in 2014, Gumtree’s parent company eBay was heavily criticised over its mishandling of the security breach that initially saw it try and downplay the significance of an attack that affected 145 million users.
It almost goes without saying that as one of the biggest ecommerce companies, eBay should have done better by its customers. You'd hope its investments in cyber security over the past two years would be commensurate with the scale of the harm caused to their client base.
I’d also suggest that any eBay subsidiary operating in a similar context, such as Gumtree, should have impeccable cyber security defences, with multifactor authentication and a variety of privacy settings for account management, similar to those we see on Facebook and LinkedIn.
But the reality is Gumtree offers a very basic website and could do with a technical overhaul. There are no security or privacy settings for users to configure and account setup is trivial.
However, the problem is that even if Gumtree introduced new technology to try and prevent these sorts of attacks, it still doesn't entirely secure your data.
Email addresses are the most commonly traded commodity on the black market, but also legitimately traded between marketing companies who have your permission (whether you realise it or not) to see your details to anyone who wants it.
One of the reasons they give for this free sharing of your information is to “offer you personalised advertising”.
And while they also state that "other group companies will not send you marketing communications unless you have consented to receiving their communications” how do you know the terms of signing up to one of the subsidiary company’s services hasn’t given them that right?
From Gumtree’s perspective, your phone number and email address are already in the public domain to allow a buyer to contact you.
The Gumtree breach might leave you exposed to spamming, but you are anyway, right?
However, if Gumtree wants its users to have just the tiniest bit of confidence in the site, that blinkered attitude to privacy needs to go.
Otherwise the company can expect its users to vote with their feet and take their business elsewhere.