Snapchat, Skype breaches show holiday season vulnerability

San Francisco: A string of cyber attacks over the holidays—involving Snapchat Inc., Microsoft Corp.’s Skype and Target Corp.—underscore how companies tend to be more vulnerable to hacking during the end-of-year season.

Snapchat saw data for 4.6 million of its users exposed on the Internet on 31 December, just weeks after a Target breach revealed 40 million credit and debit cards for the retailer’s consumers. Skype was targeted on Thursday by the Syrian Electronic Army, though no user information was made public.

“Companies are especially susceptible to hacks during the holiday season because they reduce defenses and avoid changing the code for their websites and mobile applications,” said John Kindervag, an analyst at Forrester Research. “That’s because companies may fear that their systems would break during peak traffic with many programmers on vacation,” he said.

“Every company is a target, if it has data that can be monetized in the black markets of the Internet,” he said. During the holidays, companies don’t make any changes or do anything to their systems, and IT people are given vacation.

Jon Callas, chief technology officer and co-founder of Silent Circle, which makes an encrypted communications service, said hacking is a seasonal business.

“If you’re going to try to pull off a big heist on a department store like Target, you want to do it during the Christmas rush,” he said. “That’s when more people are shopping and plugging in credit card information, and you want the companies to be so overwhelmed with legitimate customers that they’re not paying attention to you,” he said.

Snapchat exposed

Snapchat, which makes a mobile-photo application, said in a 27 December blog post that a hacker security group explained how someone might make a database of the company’s users based on their phone numbers. The group then exposed Snapchat users’ information on a site called Snapchatdb.info, which has since been removed.

“The company will let users opt out of the Find Friends function that was used to expose their information,” it said on Friday. “Snapchat is also adding restrictions to make the type of hack harder to achieve,” it said in a blog post.

On Thursday, the Syrian Electronic Army also hacked into Skype’s Twitter account and blog to post messages urging people not to use Microsoft products, claiming that the Redmond, Washington-based company spies on users and sells their data.

“We recently became aware of a targeted cyber attack that led to access to Skype’s social media properties, but these credentials were quickly reset. No user information was compromised,” Skype said in a statement.

Targeted attack

Target said on 19 December that security for customers’ credit cards may have been breached between 27 November and 15 December as consumers made purchases in stores in what is a critical period for retailers. The chain, which said it has since identified and resolved the issue, agreed to give shoppers free credit reporting and offered them a 10% discount on purchases during the weekend before Christmas.

Molly Snyder, a spokeswoman for Minneapolis-based Target, didn’t respond to a request for comment.

Companies spent 5.1% of their information-technology budgets on security in 2013, up from 4.7% the previous year, according to Gartner. Information breaches cost companies at least $10 million in legal settlements and fines, Kindervag said.

“With the Target hack, you had customers posting on Facebook about the breach before it was ever really publicly identified,” he said. “It’s hard to keep these things quiet anymore.” Bloomberg