A string of cyber attacks over the holidays — involving Snapchat Inc., Microsoft Corp.’s Skype and Target Corp. — underscore how companies tend to be more vulnerable to hacking during the end-of-year season.
Snapchat saw data for 4.6 million of its users exposed on the Internet on Dec. 31, just weeks after a Target breach revealed 40 million credit and debit cards for the retailer’s consumers. Skype was targeted this week by the Syrian Electronic Army, though no user information was made public.
Companies are especially susceptible to hacks during the holiday season because they reduce defenses and avoid changing the code for their websites and mobile applications, said John Kindervag, an analyst at Forrester Research. That’s because companies may fear that their systems would break during peak traffic with many programmers on vacation, he said.
“Every company is a target, if it has data that can be monetized in the black markets of the Internet,” he said. “During the holidays, companies don’t make any changes or do anything to their systems, and IT people are given vacation.”
Jon Callas, chief technology officer and co-founder of Silent Circle, which makes an encrypted communications service, said hacking is a seasonal business.
“If you’re going to try to pull off a big heist on a department store like Target, you want to do it during the Christmas rush,” he said. That’s when more people are shopping and plugging in credit card information, and “you want the companies to be so overwhelmed with legitimate customers that they’re not paying attention to you,” he said.
Snapchat said in a Dec. 27 blog post that a hacker security group explained how someone might make a database of the company’s users based on their phone numbers. The group then exposed Snapchat users’ information on a site called Snapchatdb.info, which has since been removed.
The company will let users opt out of the “Find Friends” function that was used to expose their information, it said yesterday. Snapchat is also adding restrictions to make the type of hack harder to achieve, it said in a blog post.
“They notified the company, the company downplayed it and didn’t implement the fix, and that caused them to expose people,” Lawrence Pingree, an analyst at researcher Gartner, said in an interview. “There are certainly fixes for these issues.”
Mary Ritti, a spokeswoman for Los Angeles-based Snapchat, didn’t respond to a request for comment. Snapchat is an application for sending annotated photos, which disappear after they are viewed. Facebook Inc. last year tried to buy the company for about $3 billion, people familiar with the matter have said.
On Jan. 1, the Syrian Electronic Army also hacked into Skype’s Twitter account and blog to post messages urging people not to use Microsoft products, claiming that the Redmond, Washington-based company spies on users and sells their data.
“We recently became aware of a targeted cyber attack that led to access to Skype’s social media properties, but these credentials were quickly reset. No user information was compromised,” Skype said in a statement.
Target said on Dec. 19 that security for customers’ credit cards may have been breached between Nov. 27 and Dec. 15 as consumers made purchases in stores in what is a critical period for retailers. The chain, which said it has since identified and resolved the issue, agreed to give shoppers free credit reporting and offered them a 10 percent discount on purchases during the weekend before Christmas.
Molly Snyder, a spokeswoman for Minneapolis-based Target, declined to comment.
Companies spent 5.1 percent of their information-technology budgets on security in 2013, up from 4.7 percent the previous year, according to Gartner. Information breaches cost companies at least $10 million in legal settlements and fines, Kindervag said.
“With the Target hack, you had customers posting on Facebook about the breach before it was ever really publicly identified,” he said. “It’s hard to keep these things quiet anymore.”
–Editors: Pui-Wing Tam, Reed Stevenson