BreachExchange mailing list archives
String of Data Breaches Show Holiday Season Vulnerability
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 3 Jan 2014 19:57:59 -0700
http://www.moneynews.com/Personal-Finance/Data-Breach-Holiday-Vulnerability/2014/01/02/id/544933 A string of cyber attacks over the holidays — involving Snapchat Inc., Microsoft Corp.’s Skype and Target Corp. — underscore how companies tend to be more vulnerable to hacking during the end-of-year season. Snapchat saw data for 4.6 million of its users exposed on the Internet on Dec. 31, just weeks after a Target breach revealed 40 million credit and debit cards for the retailer’s consumers. Skype was targeted Wednesday by the Syrian Electronic Army, though no user information was made public. Companies are especially susceptible to hacks during the holiday season because they reduce defenses and avoid changing the code for their websites and mobile applications, said John Kindervag, an analyst at Forrester Research. That’s because companies may fear that their systems would break during peak traffic with many programmers on vacation, he said. “Every company is a target, if it has data that can be monetized in the black markets of the Internet,” he said. “During the holidays, companies don’t make any changes or do anything to their systems, and IT people are given vacation.” Jon Callas, chief technology officer and co-founder of Silent Circle, which makes an encrypted communications service, said hacking is a seasonal business. “If you’re going to try to pull off a big heist on a department store like Target, you want to do it during the Christmas rush,” he said. That’s when more people are shopping and plugging in credit card information, and “you want the companies to be so overwhelmed with legitimate customers that they’re not paying attention to you,” he said. Snapchat Exposed Snapchat, which makes a mobile-photo application, said in a Dec. 27 blog post that a hacker security group explained how someone might make a database of the company’s users based on their phone numbers. The group then exposed Snapchat users’ information on a site called Snapchatdb.info, which has since been removed. The company will let users opt out of the “Find Friends” function that was used to expose their information, it said Thursday. Snapchat is also adding restrictions to make the type of hack harder to achieve, it said in a blog post. Wednesday, the Syrian Electronic Army also hacked into Skype’s Twitter account and blog to post messages urging people not to use Microsoft products, claiming that the Redmond, Washington-based company spies on users and sells their data. “We recently became aware of a targeted cyber attack that led to access to Skype’s social media properties, but these credentials were quickly reset. No user information was compromised,” Skype said in a statement. Targeted Attack Target said on Dec. 19 that security for customers’ credit cards may have been breached between Nov. 27 and Dec. 15 as consumers made purchases in stores in what is a critical period for retailers. The chain, which said it has since identified and resolved the issue, agreed to give shoppers free credit reporting and offered them a 10 percent discount on purchases during the weekend before Christmas. Molly Snyder, a spokeswoman for Minneapolis-based Target, didn’t respond to a request for comment. Companies spent 5.1 percent of their information-technology budgets on security in 2013, up from 4.7 percent the previous year, according to Gartner. Information breaches cost companies at least $10 million in legal settlements and fines, Kindervag said. “With the Target hack, you had customers posting on Facebook about the breach before it was ever really publicly identified,” he said. “It’s hard to keep these things quiet anymore.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- String of Data Breaches Show Holiday Season Vulnerability Audrey McNeil (Jan 06)