Start-ups rush to lock security door — after horse has bolted
NEW YORK — Young tech companies have a long list of to-dos. Signing up users and raising money are usually at the top of the list.
Much further down? Data security. That neglect has recently come back to bite many new applications and Web services — and their users — and has them rushing to improve their products after breaches and holes were discovered.
Tinder, the popular dating app, last month acknowledged flaws in its software that would let hackers pinpoint the exact locations of people using the service. Kickstarter, the crowdfunding site, also said last month that hackers had gained access to customer data, including passwords and phone numbers.
And only days after the messaging service WhatsApp was sold to Facebook for up to US$19 billion (S$24 billion) two weeks ago, security researchers pointed out that — despite the company’s claims to the contrary — WhatsApp had lax encryption and protection of personal information for its more than 400 million users.
“There’s so much focus on acquiring customers and delivering products and services that security is not top of mind,” said Mr Tripp Jones, a partner at August Capital, a Silicon Valley venture capital firm. Half-joking, he added: “For many companies, a security breach would almost be a nice problem to have in some cases. It means you have enough customers for someone to care.”
Many of the companies, including Kickstarter and Tinder, have rushed to improve their overall security after they were breached. Snapchat, the ephemeral messaging service that repeatedly ignored warnings about a data breach that exposed millions of user names and phone numbers, eventually acknowledged the loophole and hired Mr Peter Magnusson, a head of engineering at Google, to help improve the company’s security efforts. Even so, as Snapchat has gained more users, it has also lured spammers, who have taken to sending malicious ads and links using the service.
Mr Jay Nancarrow, a Facebook spokesman, said one of the first things Facebook plans to do after the WhatsApp deal closes is to conduct an intense security audit of WhatsApp and its messaging service.
“We always perform a thorough security audit and share security resources when we acquire a company,” Mr Nancarrow said. “Security is always a top priority for us.”
While bigger and more established tech companies such as Facebook generally have teams dedicated to security, they are not impervious to vulnerabilities. And they still have the biggest targets on their chests. Late last month, for example, Apple acknowledged a bug in its operating system that could let hackers tap into information in emails and other communications that were meant to be encrypted.
Still, when a new mobile service takes off, it is usually far more vulnerable. Before a major breach or hole is discovered, analysts say, tech entrepreneurs take possible security risks as an accepted trade-off for building their product at a rapid pace. Stricter password requirements and airtight encryption take a back seat to user growth, convenience and feature introductions.