Sketchy deals on eBay and other online marketplaces happen all the time. Encountering counterfeit, stolen, broken, or falsely advertised goods sold by third parties isn’t surprising, but finding something that was stolen from you is.
That’s reportedly what happened to an employee at the software company SAP. According to a report from The Register on Wednesday, the employee found one of four SSDs recently stolen from SAP data centers in Baden-Württemberg, Germany, for sale on eBay. According to unnamed “sources close to the incident,” the device was loaded with personal information for dozens of workers.
“One of the disks later turned up on eBay and was bought by an SAP employee. They were able to identify that it belonged to SAP. The disk contained personal records of 100 or more SAP employees,” The Register reported.
The data centers that held the lifted SSDs lacked “physical checks,” The Register said, allowing someone to move the devices from a secure location to a less-secure building elsewhere on campus, The Register’s sources claimed.
SAP is investigating the situation now and reportedly still doesn’t know where the other three SSDs are. The Register claimed that SAP European data centers had endured five burglaries over the past two years.
Ars Technica reached out to SAP about the report and received this statement, which The Register also received:
“SAP takes data security very seriously. Please understand that while we don’t comment on internal investigations, we can confirm we currently have no evidence suggesting that confidential customer data or PII [personal identifiable information] has been taken from the company via these disks or otherwise.”
It’s unclear how the employee found the storage device on eBay, knew it belonged to SAP, and confirmed this. It’s possible the employee was searching on eBay with the intent of finding the stolen property and simply got lucky.
Falling off a truck and onto the Internet
Online marketplaces like Amazon and Walmart are hampered in identifying and blocking questionable activity because sellers are anonymous and have few requirements to use those platforms. And the retail giants’ inability to track or remove enough shady sellers has meant criminals—from individuals to organized groups—profit from stolen property via third-party marketplaces.
In SAP’s case, eBay has made headlines countless times because stolen goods are sold on its site. In the tech realm, there have been recent reports of stolen Tesla car computers with personal data selling there, for example, and a crime ring accused of selling over $12 million in electronics and printer cartridges. Not even the feds are immune to seeing their boosted gear listed on the auction site. In 2008, for example, the US Government Accountability Office detailed how military items were sold on eBay [PDF].
eBay’s seller policy prohibits selling stolen property and says the company “will work with law enforcement in any attempts to sell stolen property on eBay.” Its website links to a State of California Department of Justice website for reporting organized retail crimes, and there’s also an eBay Security Center page for reporting suspicious eBay activity to law enforcement.
Ars Technica asked eBay about its current tactics to prevent stolen items from being listed on the site, and a spokesperson said the company has “zero tolerance for criminal activity” and supports “criminal prosecutions against those who try to use our platform to sell stolen goods.”
The rep also pointed to eBay’s Proact team, which launched in 2007 and works with 70 retailers to identify potentially fraudulent sellers for referral to law enforcement.
But how do people repeatedly get away with using eBay as a black market for stolen items? And considering how easy it is to sell anything online, can boosted goods really be eradicated from eBay?
https://arstechnica.com/?p=1949673