Facebook acquires m-messaging company
Facebook has reached an agreement to acquire WhatsApp, a cross-platform mobile messaging company, for a total of approximately $16 billion, including $4 billion in cash and approximately $12 billion worth of Facebook shares. The agreement also provides for an additional $3 billion in restricted stock units to be granted to WhatsApp’s founders and employees that will vest during four years subsequent to closing.
WhatsApp has 450 million monthly users and adds about 1 million new users per day. WhatsApp’s brand will be maintained; its headquarters will remain in Mountain View, Calif.; co-founder and CEO Jan Koum will join Facebook’s board of directors; and WhatsApp’s core messaging product and Facebook’s existing Messenger app will continue to operate as standalone applications.
Facebook said in a statement that the acquisition supports Facebook and WhatsApp’s shared mission to deliver core Internet services efficiently and affordably, and that the combination will help accelerate growth and user engagement across both companies.
Facebook purchases WhatsApp following a failed effort to purchase visual messaging service Snapchat for $3 billion. However, WhatsApp has been around five years as opposed to two years for Snapchat, and added 100 million new users in fourth quarter 2013. The company sends text messages over WiFi Internet instead of cellular networks. The WhatsApp app is free to download and use for the first 12 months, then costs 99 cents.
"WhatsApp is on a path to connect 1 billion people. The services that reach that milestone are all incredibly valuable," said Mark Zuckerberg, Facebook founder and CEO. "I’ve known Jan for a long time and I’m excited to partner with him and his team to make the world more open and connected."
Target adds mobile games to digital strategy
Target has been ramping up digital efforts for a few years now, but its Digital Vendor Marketing (DVM) team is putting the retailer on the mobile games map.
Target sees mobile games as an opportunity to directly reach customers and showcase the brands and vendors on its store shelves.
“We’re really focused on creating great games for guests that are simple, yet challenging enough to make you want to play again and again,” says Dawn Block, who oversees the DVM team as a VP of Target.com and mobile.
While mobile gaming is still something new for Target, the retailer has already partnered with major brands that include Coca-Cola, M&M’s, Johnson & Johnson and now Purina. The first official game was a football party-themed game called “Snack Bowl.”
Target will roll out several games in the course of this year, but its most recent launch is “Pop It!” The game focuses on one of Purina’s newest products, the Beggin’ Party Poppers. Made to simulate the game-like experience of the treat dispensers, “Pop It!” allows users to interact with the product.
“This is the first time we’ve paired a mobile game with a product launch, so this is a test and learn opportunity for Beggin’,” says Christi Maginn, director of shopper marketing for Nestlé Purina PetCare.
For several weeks, “Pop It!” players will also receive a Target mobile coupon for the new products. Consumers can flash their phones at checkout to redeem.
The issues surrounding the Target data breach
“Ongoing investigation.” “Forensics and law enforcement continue to investigate.” For now, it is a bit too early to write the “Lessons Learned” piece about the Target/Neiman Marcus/Michaels data breach incident. But there are a few things that were known before these latest payment card/database breaches occurred and should be put into context in light of what we are currently investigating.
From the legal perspective, data breach notification laws are just that: after-the-fact notification. There are few standards to which businesses should generally be held in most of the state data breach notification statutes that outline proactive requirements. Massachusetts has been the notable exception since 2010. An excellent review of the Federal Trade Commission’s consent orders in the data privacy and security arena by scholars from Carnegie Mellon provide a road map to what has been considered unreasonable and where businesses should be looking to address known vulnerabilities — but this analysis was written in 2008 and the same vulnerabilities seem to keep tripping up businesses.
There is a consistent note underlying the latest (and some of the earlier) data breaches: “but we were PCI compliant.” Unfortunately, this refrain should likely be a takeaway here. Reliance on the Payment Card Industry Data Security Standards (PCI-DSS) is misplaced. It is a starting point, not the endgame. PCI standards do not require that cardholder data (whether it is EMV or mag-stripe) be encrypted “in transit.” The standards only specify that such data be encrypted at rest — that is, when it is stored. Most merchants have moved to tokenization and do not store cardholder data. If they do store that information, to be PCI compliant, it must be encrypted. But the hackers are grabbing the data in real-time, moving it to dump files and picking it up later. If you want to know the gory technical details of this type hack, check out Krebs on Security and read Brian Krebs’ analysis of each of the latest breaches. Although the information is still evolving, the tactics appear to be the same.
In order to get ahead — and stay ahead — of the hackers, industry participants need to push one another and not point at one another. Retailers and card associations must get into the same boat and row in the same direction. The debate over mag-stripe versus the so-called EMV card (or chip-and-PIN) is not the only issue; however, it is notable that the United States is one of the last countries to use magnetic strip technology on its payment cards. But there are no magic wands here; by the time EMV adoption arrives, the perps will have found an end run and retail will again need to pivot.
The FBI has warned retailers to expect more card breaches. “Expecting” breaches and “anticipating” breaches are different, and retail information security technology is not particularly good at detecting intrusion. All of the latest retail hack victims (and retailers are victims of criminal behavior) only learned of the incident when notified by law enforcement — and law enforcement in turn had been notified by the credit card issuers when common point of purchase problems popped up. The FBI report distributed to retailers entitled “Recent Cyber Intrusion Events Directed Toward Retail Firms” should be required reading, not only in the CISO and IT shops, but also in boardrooms. Failures to act in light of known (and warned of) vulnerabilities can leave retailers exposed in the courtroom.
Directors should be focusing on information security issues as a regular part of risk management. What is the “duty of care” when it comes to information security? In the retail sector, like banking and healthcare, a failure to exercise due oversight in the boardroom could lead to material adverse effect on earnings. Who is in charge of cybersecurity? What is the role of board oversight? Does the company have an incident response plan, or is it ad hoc? Has the board participated (or overseen) a risk assessment of inside and outside threats? What is the company’s position on public disclosure in securities filings?
Invest in prevention — technical, operational, and legal. It is the rare business that operates now without a business continuity or disaster recovery plan. Operating without a straightforward, well-executed and well-monitored and tested information security plan should become equally as rare.
Data breach investigations move quickly and facts change over time. This piece was written before it was learned that hackers likely gained access to the Target payment network — and the cardholder data stored there — through an email phishing attack at an HVAC vendor. What kind of network access do your vendors have? How are security assessments conducted? The Target incident demonstrates that any vendor — no matter how insignificant — with access into a network can create a vulnerability that can be exploited. Third-party risk assessments are as important as PCI assessments.
Cynthia Larose chairs the privacy and security practice at Mintz Levin Cohn Ferris Glovsky and Popeo PC and is a certified information privacy professional.