Snapchat’s Employee Data Breach: What Can We Learn?

The video-messaging giant Snapchat recently announced on their blog that they have suffered a data breach that lost them the personal information of roughly 700 of their current or former employees.

Names, social security numbers and wage data were compromised in the breach. While it is fortunate that no user data was stolen, cyber criminals are in a good position to commit identity fraud/ theft with just the three types of data that were lost.

What’s interesting is how hackers managed to get their hands on the data. The attacker pretended to be Snapchat Chief Executive Officer Evan Spiegel, and tricked an employee into sending sensitive employee information to him.

So, it was not through exploiting a zero-day vulnerability or even through a piece of brilliant coding — they just sent a really, really convincing email.

And it’s hard to not feel incredibly vulnerable, when you think that your million-dollar cybersecurity efforts could be rendered entirely useless by one gullible employee.

 

Phishing: It’s as Easy as Shooting Fish in a Barrel

Snapchat is not the first phishing victim, and it certainly isn’t going to be the last. According to the recently released Verizon Data Breach Digest, phishing attacks are both incredibly common and successful. 20% of all confirmed data breaches in the last 3 years were conducted through phishing attacks, and it’s a number that is only continuing to rise.

Sometimes phishing attacks are relatively simple, like what happened in the Snapchat incident. Other times, they can be much more nefarious and potent, like Anthem Inc. discovered last year when they lost millions of healthcare records to hackers who stole the credentials of Anthem employees through phishing schemes.

 

Snapchat also suffered a data breach in 2013, where 4.6 million of its users' names and phone numbers were posted online.

Snapchat also suffered a data breach in 2013, where 4.6 million of its users’ names and phone numbers were posted online.

 

The Morning-After Pill

Snapchat was quick to detect the breach, discovering the incident four hours after it took place. They then detected which employees had been affected by the breach, and offered them two years of free identity-theft insurance and monitoring.

Snapchat also mentioned that they already have training programs around privacy and security in place, and that they will be redoubling on their efforts to make sure their staff are able to recognise and fight back against phishing attacks.

Another control against phishing attacks would be making sure that your business has a strong identity and access management program. Digital identities should be clearly verified so that no users can get confused by impersonators with slightly different email addresses.

The threat of phishing is very real, but it can definitely be beaten with a good mix of educated skepticism, and a healthy dose of common sense.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *