The holidays began and ended with the bang of newsworthy cyber breaches that illustrated the complexity of hacking scenarios, which vary in their intent and fallout on targeted companies and their customers, who are viewed as the victims.
Beginning on Black Friday in December and lasting until Dec. 15, Target experienced a data breach involving 40 million credit, debit, and RedCard records. The retailer announced the leak in a public blog post on Dec. 19.
“The legal framework for data theft notification is governed by states, which makes handling a multistate breach very challenging,” says Matt Donovan, assistant vice president and underwriting leader of technology and privacy at Hiscox. “In Target’s instance, they posted a public disclosure on their website to direct customers to call their banking providers, but they didn’t directly issue mailed letters to customers notifying them of exposed information, as a breached healthcare provider would do.”
According to Donovan, the main concern for retailers facing leaked payment data is the Merchant Services Agreement between it and a payment card processor, such as Heartland Payment Systems (which itself suffered a breach years ago), which would make the retailer liable for card reissuance expenses and fraudulent charges.
Further complicating Target’s situation is that while representatives denied the possibility of compromised customer PIN numbers, it admitted just after Christmas that this information had been captured as well.
Shortly after this incident, on New Year’s Day 2014, security researchers from SnapchatDB.info captured and posted 4.6 million usernames and phone numbers from Snapchat, a “private” service that lets users send each other photos or videos that disappear after viewing.
The New York Times reports that Snapchat users send up to 350 million photos a day.
Cyber analysis firm Gibson Security wrote to Snapchat that its database was vulnerable to hacking, and posted about it on the web after its message was ignored.
“Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way,” said Snapchat creators Evan Spiegel and Bobby Murphy, in a blog post responding to the warning on December 27, just before the data dump. “Over the past year we’ve implemented various safeguards to make it more difficult to do.”
Donovan says that Snapchat’s breach would be handled differently than one affecting a retailer.
“Unlike Target’s hack that was done for direct financial gain, Snapchat’s breach was an example of hacktivism to expose the vulnerability of the company,” he says. “The hackers do not seem to have breached Snapchat for a financial gain; rather to expose how security vulnerabilities can affect individuals.”
One thing the breaches had in common was their influence on raising awareness regarding the imperative of companies to watch their data.
“Newsworthy issues like this drive awareness to the general public,” says Donovan. “It always helps to see real world examples.”