Sketchy deals on eBay and other online marketplaces happen all the time. It’s not surprising to come across counterfeit, stolen, broken or falsely advertised goods sold by third parties, but finding something stolen from you is.
This reportedly happened to an employee of software company SAP. According to a report from The Register on Wednesday, the employee found one of four SSDs recently stolen from SAP data centers in Baden-Württemberg, Germany, for sale on eBay. According to unnamed “sources close to the incident,” the device was loaded with dozens of employees’ personal information.
“One of the drives later turned up on eBay and was purchased by an SAP employee. They were able to determine that it belonged to SAP. The drive contained personal information from 100 or more SAP employees,” The Register reported.
The data centers that contained the defunct SSDs lacked “physical controls,” according to The Register, allowing someone to move the devices from a secure location to a less secure building elsewhere on campus, The Register sources claimed.
SAP is now investigating the situation and reportedly still doesn’t know where the other three SSDs are. The registry claimed that SAP’s European data centers had withstood five breaches in the past two years.
Ars Technica contacted SAP about the report and received this statement, which The Register also received:
“SAP takes data security very seriously. Please understand that while we do not comment on internal investigations, we can confirm that we currently have no evidence to suggest that confidential customer data or PII [personal identifiable information] obtained from the company through these drives or otherwise.”
It’s unclear how the employee found the storage device on eBay, knew it belonged to SAP, and confirmed it. It’s possible that the employee was browsing eBay with the intention of finding the stolen property and was just lucky.
Fall off a truck and end up on the internet
Online marketplaces like Amazon and Walmart are hampered in identifying and blocking questionable activity because sellers are anonymous and have few requirements to use those platforms. And the retail giants’ inability to track down or remove enough shady sellers has led criminals — from individuals to organized groups — to profit from stolen property through third-party marketplaces.
In SAP’s case, eBay has made headlines countless times for selling stolen goods on its site. On the tech front, for example, there have been recent reports of stolen Tesla car computers with personal data being sold there, and a crime ring accused of selling more than $12 million worth of electronics and printer cartridges. Even the FBI isn’t immune from seeing their amped-up gear on the auction site. For example, in 2008, the US Government Accountability Office detailed how military items were sold on eBay [PDF].
eBay’s seller policy prohibits the sale of stolen goods, saying the company “will cooperate with law enforcement in any attempt to sell stolen goods on eBay.” The website links to a State of California Department of Justice website for reporting organized retail crime, and there is also an eBay Security Center page for reporting suspicious eBay activity to law enforcement.
Ars Technica asked eBay about its current tactics to avoid listing stolen items on the site, and a spokesperson said the company has “zero tolerance for criminal activity” and “supports criminal prosecution against those who try to use our platform to recover stolen goods.” to sell”. .”
The rep also pointed to eBay’s Proact team, which started in 2007 and works with 70 retailers to identify potentially fraudulent sellers and refer them to law enforcement.
But how do people repeatedly get away with using eBay as a black market for stolen items? And considering how easy it is to sell something online, can promoted goods really be removed from eBay?