When Start-Ups Don’t Lock the Doors; For new tech companies, developing features and acquiring users tends to be a priority over securing customer data, leaving them vulnerable to security breaches

When Start-Ups Don’t Lock the Doors

By JENNA WORTHAM and NICOLE PERLROTHMARCH 2, 2014

Young tech companies have a long list of to-dos. Signing up users and raising money are usually at the top of the list.

Much further down? Data security. That neglect has recently come back to bite many hot new applications and web services — and their users — and has them rushing to improve their products after breaches and holes were discovered.

Tinder, the popular dating app, last month acknowledged flaws in its software that would let hackers pinpoint the exact locations of people using the service. Kickstarter, the crowdfunding site, also said last month that hackers had gained access to customer data, including passwords and phone numbers.

And only days after the messaging service WhatsApp was sold to Facebook for up to $19 billion two weeks ago, security researchers pointed out that — despite the company’s claims to the contrary — WhatsApp had lax encryption and protection of personal information for its more than 400 million users.

“There’s so much focus on acquiring customers and delivering products and services that security is not top of mind,” said Tripp Jones, a partner at August Capital, a Silicon Valley venture capital firm. Half-joking, he added: “For many companies, a security breach would almost be a nice problem to have in some cases. It means you have enough customers for someone to care.”

Many of the companies, including Kickstarter and Tinder, have rushed to improve their overall security after they were breached. Snapchat, the ephemeral messaging service that repeatedly ignored warnings about a data breach that exposed millions of user names and phone numbers, eventually acknowledged the loophole and hired Peter Magnusson, a head of engineering at Google, to help improve the company’s security efforts. Even so, as Snapchat has gained more users, it has also lured spammers, who have taken to sending malicious ads and links using the service.

Jay Nancarrow, a Facebook spokesman, said one of the first things Facebook planned to do after the WhatsApp deal closed was conduct an intense security audit of WhatsApp and its messaging service.

“We always perform a thorough security audit and share security resources when we acquire a company,” Mr. Nancarrow said. “Security is always a top priority for us.”

While bigger and more established tech companies like Facebook generally have teams dedicated to security, they are not impervious to vulnerabilities. And they still have the biggest targets on their chests. In late February, for example, Apple acknowledged a bug in its operating system that could let hackers tap into information in emails and other communications that were meant to be encrypted.

Still, when a new mobile service takes off, it is usually far more vulnerable. Before a major breach or hole is discovered, analysts say, tech entrepreneurs take possible security risks as an accepted trade-off for building their product at a rapid pace. Stricter password requirements and airtight encryption take a back seat to user growth, convenience and feature introductions.

And in many ways, mobile apps and services — which have been taking off most rapidly lately — face security challenges different from those of technology built for their desktop predecessors. The information at risk on mobile devices is often more personal than on desktop devices, because mobile devices now include things like digital wallet apps, location-tracking recommendation services, and photo-messaging apps.

Government officials say the amount of data flowing through some young companies’ networks rivals what the government itself can collect. The danger, some officials note, is that government agencies have no jurisdiction to protect it, or even the ability to share classified threat information with the companies, leaving the onus to protect personal data from cybercriminals and nation-states upon the companies themselves.

Aaron Grattafiori, a security researcher at iSEC Partners, a security firm, said start-ups could not always anticipate their potential security holes.

“There’s a lot more user information on a phone than there used to be,” he said. “Often start-ups can be in over their heads before they know it.”

And start-ups are asking for increasingly personal information. ThirdLove, a lingerie company, uses a mobile application to gauge a woman’s bra size using an iPhone camera. After signing up, users take a photograph of their torso in a fitted tank top and send it to the company, which uses virtual sizing algorithms to determine their bra size. The company says it has gone through extensive security audits to protect sensitive information, and claims to use top-level encryption, said Heidi Zak, a founder of the company.

“No one ever accesses those photos,” she said. “Most women are in a tank top and their heads are cut off.” Ms. Zak declined to say how many customers the service had, but said that 85 percent of the customers had used the free sizing software.

Some entrepreneurs say they are making security a priority from the start of their venture. As breaches become more commonplace, top-notch security can be a powerful marketing tool.

After Snapchat was breached, for example, Wickr, a competitive service that uses secure encryption and does not store customer information on its servers, experienced a 50 percent bump in user sign-ups. It saw a 600 percent jump last week after security researchers began to question the security of WhatsApp. Among those who migrated to Wickr from WhatsApp was Amit Yoran, former cybersecurity czar at the Department of Homeland Security, who said he switched because of the lack of transparency around WhatsApp’s security and privacy policies.

“From the moment we started building Wickr, we assumed we’d be attacked by the most advanced nation-states in the world,” said the Wickr co-founder Nico Sell. “Nowadays, I think every company needs to make that assumption.”

To that end, Wickr will announce this week that it plans to license its encryption software to apps like Snapchat or WhatsApp as part of its business model, rather than profit off user data. That pledge has gone over well with security- and privacy-minded investors. Wickr just raised over $9 million from Thor Halvorssen, president of the Human Rights Foundation; Gilman Louie, former head of the C.I.A.’s venture arm, In-Q-Tel; Juniper, a networking company; Richard A. Clarke, the former counterterrorism czar; and others.

But all too often, security researchers and analysts say founders’ approach to security is still simply to pray they their company is not hacked, and to ask for forgiveness if it is.

Robert Hansen, the director of product management at WhiteHat Security, a website security company, said persuading start-ups to invest in security could often feel like “talking to a brick wall.”

“Most don’t get it, and the ones who do don’t want to get it,” Mr. Hansen said. “It’s all about opportunity cost. For every dollar they spend on better security, they think they’re abandoning a new feature that can get them featured on Gawker.”

But start-ups who have not prioritized data security have learned the hard way that breaches can also lead to publicity — only of an undesirable sort.

Ashvin Kumar, the chief executive of Tophatter, a mobile live-auction site, recalled a disastrous hack that tarnished the reputation of one of his previous companies, Blippy, which let people publish their credit card transactions online. The service, which was introduced in 2010, first garnered positive attention from venture capitalists and early adopters before users realized that some credit card details were being indexed by Google and appearing in search results.

Mr. Kumar described the episode as a “freak occurrence” but also acknowledged a bit of neglect and oversight when it came to protecting his users. “We didn’t foresee that certain aspects of the information we were storing had personally identifiable information in it,” he said.

He said that most entrepreneurs understood the gravity of security missteps. “Everyone would acknowledge that one misstep and you’re toast,” he said. “It’s a really, really serious issue.”

Even so, he said, it is easy to let that lapse while founders get a new product up and running.

“If all day you worry about the security,” he said, “you don’t have a product.”