EBay (EBAY)

Our business is subject to online security risks, including security breaches and identity theft.

To succeed, online commerce must provide a secure transmission of confidential information over public networks. Our security measures may not detect or prevent security breaches that could harm our business. Currently, a significant number of our users authorize us to bill their credit card accounts directly for all transaction fees charged by us. PayPal’s users routinely provide credit card and other financial information. We rely on encryption and authentication technology licensed from third parties to provide the security and authentication to effectively secure transmission of confidential information, including customer credit card

23

Table of Contents

numbers. Advances in computer capabilities, new discoveries in the field of cryptography or other developments may result in the technology used by us to protect transaction data being breached or compromised. Other large Internet companies have recently disclosed sophisticated and highly targeted attacks on portions of their sites. In addition, any party who is able to illicitly obtain a user’s password could access the user’s transaction data. An increasing number of websites have reported breaches of their security. Any compromise of our security could harm our reputation and, therefore, our business, and could result in a violation of applicable privacy and other laws. In addition, a party that is able to circumvent our security measures could misappropriate proprietary information, cause interruption in our operations, damage our computers or those of our users, or otherwise damage our reputation and business. Under credit card rules and our contracts with our card processors, if there is a breach of credit card information that we store, or that is stored by PayPal’s direct credit card processing customers, we could be liable to the credit card issuing banks for their cost of issuing new cards and related expenses. In addition, if we fail to follow credit card industry security standards, even if there is no compromise of customer information, we could incur significant fines or lose our ability to give customers the option of using credit cards to fund their payments or pay their fees. If we were unable to accept credit cards, our business would be seriously damaged.

Our servers are also vulnerable to computer viruses, physical or electronic break-ins, and similar disruptions, and we have experienced “denial-of-service” type attacks on our system that have made all or portions of our websites unavailable for periods of time (most recently involving our Korean IAC website in July 2009). We may need to expend significant resources to protect against security breaches or to address problems caused by breaches. These issues are likely to become more difficult as we expand the number of places where we operate. Security breaches, including any breach by us or by parties with which we have commercial relationships that result in the unauthorized release of our users’ personal information, could damage our reputation and expose us to a risk of loss or litigation and possible liability. Our insurance policies carry low coverage limits, which may not be adequate to reimburse us for losses caused by security breaches.

Our users, as well as those of other prominent Internet companies, have been and will continue to be targeted by parties using fraudulent “spoof” and “phishing” emails to misappropriate passwords, credit card numbers, or other personal information or to introduce viruses through “trojan horse” programs to our users’ computers. These emails appear to be legitimate emails sent by eBay, PayPal, or a user of one of those businesses, but direct recipients to fake websites operated by the sender of the email or request that the recipient send a password or other confidential information via email or download a program. Despite our efforts to mitigate “spoof” and “phishing” emails through product improvements and user education, “spoof” and “phishing” remain a serious problem that may damage our brands, discourage use of our websites, and increase our costs.

Our business is subject to online security risks, including security breaches and identity theft.

To succeed, online commerce and communications must provide a secure transmission of confidential information over public networks. Our security measures may not detect or prevent security breaches that could harm our business. Currently, a significant number of our users authorize us to bill their credit card accounts directly for all transaction fees charged by us. PayPal’s users routinely provide credit card and other financial information. We rely on encryption and authentication technology licensed from third parties to provide the security and authentication to effectively secure transmission of confidential information, including customer credit card numbers. Advances in computer capabilities, new discoveries in the field of cryptography or other developments may result in a compromise or breach of the technology used by us to protect transaction data. In addition, any party who is able to illicitly obtain a user’s password could access the user’s transaction data. An increasing number of websites have reported breaches of their security. Any compromise of our security could harm our reputation and, therefore, our business, and could result in a violation of applicable privacy and other laws. In addition, a party that is able to circumvent our security measures could misappropriate proprietary information, cause interruption in our operations, damage our computers or those of our users, or otherwise damage our reputation and business. Under credit card rules and our contracts with our card processors, if there is a breach of credit card information that we store, or that is stored by PayPal’s direct credit card processing customers, we could be liable to the credit card issuing banks for their cost of issuing new cards and related expenses. In addition, if we fail to follow credit card industry security standards, even if there is no compromise of customer information, we could incur significant fines or lose our ability to give customers the option of using credit cards to fund their payments or pay their fees. If we were unable to accept credit cards, our business would be seriously damaged.

eBay’s Korean subsidiary, IAC, has notified a majority of its approximately 20 million users of a January 2008 data breach involving personally identifiable information including name, address, resident registration number and some transaction and refund

32

data (but not including credit card information or real time banking information). Approximately 144,000 users have sued IAC over this breach in several lawsuits in Korean courts and we expect more to do so in the future. There is some precedent in Korea for a court to grant “consolation money” for data breaches without a specific finding of harm from the breach. Such precedents have involved payments of up to approximately $200 per user. IAC intends to vigorously defend itself in this lawsuit. In December 2008, the Korea Consumer Agency (KCA) made a non-binding recommendation that IAC make payments of 50,000-100,000 Korean won (approximately $37-$75) to consumers who had complained to it as a result of such breach. IAC rejected this non-binding recommendation and did not make any payments, and this KCA process has ended.

Our servers are also vulnerable to computer viruses, physical or electronic break-ins, and similar disruptions, and we have experienced “denial-of-service” type attacks on our system that have made all or portions of our websites unavailable for periods of time. We may need to expend significant resources to protect against security breaches or to address problems caused by breaches. These issues are likely to become more difficult as we expand the number of places where we operate. Security breaches, including any breach by us or by parties with which we have commercial relationships that result in the unauthorized release of our users’ personal information, could damage our reputation and expose us to a risk of loss or litigation and possible liability. Our insurance policies carry low coverage limits, which may not be adequate to reimburse us for losses caused by security breaches.

Our users, as well as those of other prominent Internet companies, have been and will continue to be targeted by parties using fraudulent “spoof” and “phishing” emails to misappropriate passwords, credit card numbers, or other personal information or to introduce viruses through “trojan horse” programs to our users’ computers. These emails appear to be legitimate emails sent by eBay, PayPal, Skype, or a user of one of those businesses, but direct recipients to fake websites operated by the sender of the email or request that the recipient send a password or other confidential information via email or download a program. Despite our efforts to mitigate “spoof” and “phishing” emails through product improvements and user education, “spoof” and “phishing” remain a serious problem that may damage our brands, discourage use of our websites, and increase our costs.