Simple deals happen on eBay and other electronic marketplaces all the time. Encountering fake, stolen, broken, or undeclared items sold by third parties is no surprise, but finding something stolen from you is.
It is said that this is what happened to an employee of the software company SAP. According to a report by The Register on Wednesday, an employee found one of four solid-state drives (SSDs) that were recently stolen from SAP data centers in Baden-Wurttemberg, Germany, for sale on eBay. According to unnamed “sources close to the incident,” the package was loaded with personal information about dozens of workers.
The record stated, “One of the disks subsequently appeared on eBay and was purchased by an SAP employee. They were able to determine that it belonged to SAP. The disk contained the personal records of a hundred or more SAP employees.”
Sources of record claimed that data centers with solid-state drives (SSDs) installed lacked “physical checks,” allowing someone to move hardware from a secure location to a less secure building elsewhere on campus.
SAP is now investigating the situation and reportedly still does not know where the other three SSDs are. The record alleged that SAP’s European data centers had five burglaries over the past two years.
Ars Technica reached out to SAP about the report and received this statement, which also obtained the record:
“SAP takes data security very seriously. Please understand that although we do not comment on internal investigations, we can confirm that we currently have no evidence to indicate that confidential customer data or personally identifiable information [personal identifiable information] taken from the Company via these discs or otherwise.”
It’s unclear how the employee found the storage device on eBay, knew it belonged to SAP, and confirmed it. It is possible that the employee was searching on eBay with the intent of finding stolen property and simply got lucky.
Falling out of a truck and on the Internet
Online marketplaces like Amazon and Walmart face hurdles in identifying and blocking questionable activity because sellers are anonymous and have few requirements to use these platforms. The inability of the retail giants to track down or remove enough shady sellers means that criminals – from individuals to organized groups – profit from stolen property via third-party marketplaces.
In the case of SAP, eBay has made headlines countless times because stolen goods are sold on its site. In the tech world, there have been recent reports of stolen Tesla car computers with personal data being sold there, for example, and a crime syndicate accused of selling more than $12 million worth of electronics and printer cartridges. Not even the Federal Reserve is immune from seeing their augmented equipment listed on an auction site. In 2008, for example, the US Government Accountability Office detailed how military items are sold on eBay. [PDF].
eBay’s seller policy prohibits the sale of stolen property and says the company will “work with law enforcement on any attempts to sell stolen property on eBay.” His website links to the California Department of Justice’s website for reporting organized retail crime, and there’s also an eBay Security Center page for reporting suspicious eBay activities to law enforcement.
Ars Technica asked eBay about its current tactics to prevent stolen items from being listed on the site, and a company spokesperson said the company “has zero tolerance for criminal activity” and supports “criminal prosecutions against those who attempt to use our platform to sell stolen merchandise.”
The representative also pointed to eBay’s Proact Team, which launched in 2007 and works with 70 retailers to identify potential fraudulent sellers for referral to law enforcement.
But how do people get away with using eBay over and over again as a black market for stolen items? And given how easy it is to sell anything online, is it really possible to get rid of promotional items off eBay?
