Losing control of more than 100 million customers' information is an increasingly common corporate crisis. Flubbing the public revelation of that breach and failing to tell most of your customers represents a more special form of train wreck.

In the wake of eBay's revelation earlier this week that it had lost as many as 145 million customers' data, eBay users and security response professionals say they've been increasingly angered and amazed at the company's ham-fisted public response to an incident that's already sparked multiple government investigations. EBay's mistakes include taking days to post a notice about the breach on eBay.com and confusing users as to whether their PayPal accounts had also been affected. As of Friday afternoon, many–if not the majority–of the site's users still had received no email notification about the breach.

"It just seems like their response has been complete disarray and disorganization," says Dave Kennedy, the CEO of security consultancy and breach response firm TrustedSec. "This is one of the worst responses I’ve seen in the past ten years from a company that’s experienced a breach."

EBay initially warned its customers about their data's theft in a note on its little-seen corporate website Ebayinc.com, telling them that a "cyberattack" had compromised a database of names, phone numbers, home addresses, emails and encrypted passwords but not financial information. No mention of the breach appeared on eBay.com.

Around the same time it also inexplicably posted a statement to PayPal's site, which warned in its title that eBay users should change their passwords, but offered no further information in the post's body, only the words "place holder text." That message no doubt confused users who mistakenly thought their PayPal accounts may have also been affected. It was later deleted. "That seemed like a bit of a cockup," says Rik Ferguson, an analyst with security firm Trend Micro.

A screenshot of eBay's now-deleted post on its PayPal site. Credit: Graham Cluley

Only on Friday did eBay post a note to its main eBay.com site, and in an abbreviated form that asked users to change their passwords but failed to mention whether financial information had also been caught up in the breach. The site also didn't force any users to change their password, allowing them to sign in as normal if they ignored its breach notification.

All of that would have been forgivable if the company had taken the no-brainer step of an immediate email blast warning users about the breach. Eva Velasquez of the non-profit Identity Theft Resource Center believes that the majority of eBay users still don't know their data has been stolen. She compares the incident to the far-more-visible breach of Target last December. "Our phone lines were blowing up with people calling about the Target breach asking what to do," she says. "This week, it’s been very quiet here."

Those serial acts of miscommunication signal that eBay, despite its role as one of the biggest ecommerce companies on the planet, may not have had a disclosure plan in place for the possibility of a breach. "For a company like eBay, this is one of the first tabletop exercises I’d ever do in an organization," says data breach consultant Kennedy. "They’re all over the place and don't seem to have prepared at all."

EBay spokesperson Amanda Christine Miller tells WIRED in an interview that the company has done its best to notify the public about its hacker attack and is emailing its 145 million users as fast as it can. "We’ve been working with law enforcement and security experts to do forensics on a global commerce platform, and we moved quickly and aggressively to investigate the matter," Miller says. "Once we knew the extent of the compromise, we undertook our disclosure and remediation plan."

When asked if eBay had such a plan in place before its breach occurred, Miller said the company has "many plans to deal with many different issues that arise."

EBay's breach by hackers occurred in late February or early March, but wasn't detected by the company until early this month. That's not a particularly long time to detection for companies that have suffered hacker intrusions. Last year's Verizon Data Breach Investigations Report found that 62% percent of breaches take "months" to discover, while only about third discover the breach within one month. But eBay, as an established internet giant, should be held to a different standard, says Trend Micro's Rik Ferguson. "For a huge global internet company with hundreds of millions of customers' information, that’s way too long."

Nor should it have taken weeks for the company to start emailing users about the possibility their data was stolen, says Paul Stephens of the Privacy Rights Clearinghouse, which keeps a database of data breach statistics. "This may be one of the largest, if not the largest data breach in history," Stephens says. "Why didn’t they immediately email their customers?"

In an interview with Reuters Friday afternoon, eBay's global marketplaces chief Devin Wenig said that the company's initial forensic investigation didn't reveal that any customer data had actually be compromised. That would partially explain the company's slow email response. But it doesn't explain its half-baked website statements, which were posted earlier.

EBay says the stolen user passwords were encrypted, but hasn't said what sort of encryption was used. That leaves open the possibility that they were hashed with a weak algorithm or that the decryption key could have also been stolen. The exposure of users' email addresses alone could allow them to be targeted with phishing attacks.

Trend Micro's Rik Ferguson points to the company's message that payment data was stored on a "separate secure network" as evidence that eBay hasn't taken seriously enough the protection of its customers' non-financial personal data. "You have to question why they’re running a two-tier system," he says. "There’s no excuse for not having encrypted the personally-identifiable information of more than a hundred million people."