
Sketchy deals on eBay and other online marketplaces happen all the time. It is not surprising to find fake, stolen, broken, or falsely advertised items sold by third parties, but to find something stolen from you.
This is what happened to an employee of the software company SAP. According to a report from The Register on Wednesday, the employee found one of four SSDs that were recently stolen from SAP data centers in Baden-Württemberg, Germany, to sell on eBay. According to unnamed “sources close to the incident,” the device was full of personal information for several workers.
“One of the disks later turned up on eBay and was bought by an SAP employee. They were able to identify that it belonged to SAP. The disk contained the personal records of 100 or more SAP employees,” The Register reported.
Data centers that hold elevated SSDs lack “physical checks,” the Register says, that would allow someone to move the devices from a secure location to a less secure one. secure building elsewhere on campus, sources told The Register.
SAP is currently investigating the situation and reportedly does not yet know the whereabouts of the other three SSDs. The Register claims that SAP European data centers have survived five burglaries in the past two years.
Ars Technica reached out to SAP about the report and received this statement, which was also received by The Register:
“SAP takes data security very seriously. Please understand that while we do not comment on internal investigations, we can confirm that we currently have no evidence to suggest that confidential customer data or PII [personal identifiable information] removed from the company through these disks or otherwise.”
It’s unclear how the employee found the storage device on eBay, learned it belonged to SAP, and confirmed it. It’s possible that the employee searched eBay with the intention of finding stolen property and just got lucky.
Fell off the truck and the Internet
Online marketplaces such as Amazon and Walmart are hampered in identifying and blocking questionable activities because sellers are anonymous and there are certain requirements to use the platforms. And the retail giants’ inability to track down or remove enough shady sellers means criminals—from individuals to organized groups—are profiting from stolen property through third-party marketplaces.
In the case of SAP, eBay made headlines countless times because stolen goods were sold on its site. In the tech realm, there have been recent reports of stolen Tesla car computers with personal data being sold there, for example, and a crime ring accused of selling more than $12 million in electronics and printer cartridges. Even the feds aren’t immune to seeing their inflated gear listed on the auction site. In 2008, for example, the US Government Accountability Office detailed how military goods were sold on eBay [PDF].
eBay’s seller policy prohibits the sale of stolen property and states that the company “will work with law enforcement on any attempt to sell stolen property on eBay.” Its website links to a California State Department of Justice website for reporting organized retail crimes, and also has an eBay Security Center page for reporting suspicious activity on eBay to law enforcement. law.
Ars Technica asked eBay about its current tactics to prevent stolen items from being listed on the site, and a spokesperson said the company has “zero tolerance for criminal activity” and supports “criminal prosecutions against those who try to use our platform to sell stolen goods. .”
The representative also pointed to eBay’s Proact team, which launched in 2007 and works with 70 retailers to identify potentially fraudulent sellers for referral to law enforcement.
But how do people repeatedly get away with using eBay as a black market for stolen goods? And considering how easy it is to sell anything online, can boosted items be eliminated from eBay?