String of Data Breaches Show Holiday Season Vulnerability

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.moneynews.com/Personal-Finance/Data-Breach-Holiday-Vulnerability/2014/01/02/id/544933

A string of cyber attacks over the holidays — involving Snapchat Inc.,
Microsoft Corp.’s Skype and Target Corp. — underscore how companies tend to
be more vulnerable to hacking during the end-of-year season.

Snapchat saw data for 4.6 million of its users exposed on the Internet on
Dec. 31, just weeks after a Target breach revealed 40 million credit and
debit cards for the retailer’s consumers. Skype was targeted Wednesday by
the Syrian Electronic Army, though no user information was made public.

Companies are especially susceptible to hacks during the holiday season
because they reduce defenses and avoid changing the code for their websites
and mobile applications, said John Kindervag, an analyst at Forrester
Research. That’s because companies may fear that their systems would break
during peak traffic with many programmers on vacation, he said.

“Every company is a target, if it has data that can be monetized in the
black markets of the Internet,” he said. “During the holidays, companies
don’t make any changes or do anything to their systems, and IT people are
given vacation.”

Jon Callas, chief technology officer and co-founder of Silent Circle, which
makes an encrypted communications service, said hacking is a seasonal
business.

“If you’re going to try to pull off a big heist on a department store like
Target, you want to do it during the Christmas rush,” he said. That’s when
more people are shopping and plugging in credit card information, and “you
want the companies to be so overwhelmed with legitimate customers that
they’re not paying attention to you,” he said.

Snapchat Exposed

Snapchat, which makes a mobile-photo application, said in a Dec. 27 blog
post that a hacker security group explained how someone might make a
database of the company’s users based on their phone numbers. The group
then exposed Snapchat users’ information on a site called Snapchatdb.info,
which has since been removed.

The company will let users opt out of the “Find Friends” function that was
used to expose their information, it said Thursday. Snapchat is also adding
restrictions to make the type of hack harder to achieve, it said in a blog
post.

Wednesday, the Syrian Electronic Army also hacked into Skype’s Twitter
account and blog to post messages urging people not to use Microsoft
products, claiming that the Redmond, Washington-based company spies on
users and sells their data.

“We recently became aware of a targeted cyber attack that led to access to
Skype’s social media properties, but these credentials were quickly reset.
No user information was compromised,” Skype said in a statement.

Targeted Attack

Target said on Dec. 19 that security for customers’ credit cards may have
been breached between Nov. 27 and Dec. 15 as consumers made purchases in
stores in what is a critical period for retailers. The chain, which said it
has since identified and resolved the issue, agreed to give shoppers free
credit reporting and offered them a 10 percent discount on purchases during
the weekend before Christmas.

Molly Snyder, a spokeswoman for Minneapolis-based Target, didn’t respond to
a request for comment.

Companies spent 5.1 percent of their information-technology budgets on
security in 2013, up from 4.7 percent the previous year, according to
Gartner. Information breaches cost companies at least $10 million in legal
settlements and fines, Kindervag said.

“With the Target hack, you had customers posting on Facebook about the
breach before it was ever really publicly identified,” he said. “It’s hard
to keep these things quiet anymore.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.