A new year, and here's the first round of virtual break-ins.
The online retailer Zappos took a particularly heavy hit. No fewer than 24 million customers were potentially affected by the theft of names, addresses, email addresses, and password hashes, but not credit card data, Zappos says -- not, that is, unless you count the last four digits of credit card numbers.
The consequences, even if critical credit card data has not been exposed, are hardly trivial. Zappos was compelled to shut down telephone customer service numbers, because of the anticipated volume of panic calls, and communicate with the 24 million potential victims by email only, explaining that their passwords had been expired and needed to be reset. If just a small percentage of the market segment affected decides that Zappos' security is untrustworthy, that's a huge loss of return business.
The circumstances of the theft remain shady. According to Zappos, a cyberthief accessed the company's networks via a server in Kentucky. How and when, the retailer isn't saying. This doesn't mean people aren't asking hard questions, like why encryption was not more broadly applied to the information Zappos retained. Names, addresses, and email addresses are a goldmine for phishers.
The situation also underlines the argument I've made here repeatedly that enterprises that choose to retain their customers' financial data should regard themselves as banks, and act like banks, for the purposes of security. But why beat up on Zappos when even security vendors aren't secure?
To the long list of major cybersecurity players taken to the cleaners by the hacker community, we can now add Symantec, whose "software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored." Right.
This month, the security giant announced that an early version of source codes for its Norton Anti-Virus product had been pilfered from a third party. If the Web is to be believed, the third party was a poorly secured Indian government server, and the bandits a crew of Indian hackers rejoicing in the name "The Lords of Dhamaraja" (or Lords of Death, according to Hinduism).
Symantec emphasized that the codes were old, that its own systems had not been breached, and that it was all a fuss about nothing. Unfortunately, as of this week, those statements are no longer operative. Apparently, some rather more valuable codes were stolen, too, including the source code for its pcAnywhere remote access product. Like Zappos, Symantec will be "reaching out" to pcAnywhere customers, and there probably aren't 24 million of them.
Again, there are many unanswered questions. Symantec is talking about a 2006 security breach. Presumably, that's distinct from the breach of the systems in India that has prompted the bragging by the Lords of Dhamaraja. If so, what are the details of the 2006 breach? Furthermore, how widely is Symantec required to distribute its source codes among its customers? How much valuable code is sitting on vulnerable servers for which Symantec itself has no responsibility?
Maybe the answers are in Symantec's whitepaper "Why Breaches Happen and What to Do About It."