Snapchat employee data lost in phishing attack

News
29 Feb, 2016

Social media service plans to intensify its staff training going forward

Snapchat employees current and former have had their details compromised, following a scam email against the social media company.

The company, known for its ephemeral video messaging service, published a public apology to its employees on its blog, explaining that one of its employees had fallen for a phishing attack and disclosed the payroll information of a number of employees, and former employees.

“Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our chief executive officer and asked for employee payroll information,” wrote Snapchat in its blog post.

“Unfortunately, the phishing email wasn’t recognised for what it was – a scam – and payroll information about some current and former employees was disclosed externally.”

Snapchat emphasised that its internal servers were not breached and no user data was affected by the cyber attack.

It would not be specific about what was included in the payroll information, but it likely includes personal details, such as employees names, addresses, bank details and pension plans.

When it identified that one of its employees had fallen for a scam, Snapchat moved quickly. It reported the incident to the FBI. It has also contacted the affected employees, both current and former, and offered them two years of identity theft insurance and monitoring.

“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” Snapchat added.

“To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks.”

Snapchat has been in the news for security breaches on more than one occasion. Hackers exposed some 100,000 explicit pictures in 2014, that users presumed had been deleted by the temporary messaging service, which has become a haven for sexting.

A report in 2013 from Gibson Security also exposed security flaws in the service, and later that same year the service was hacked via a vulnerability in a third-party API.

In related news, the UK government is taking phishing attacks against businesses seriously and wants UK businesses to train its employees about the importance of cybersecurity. Earlier this month Ed Vaizey, minister for culture and the digital economy, launched a free e-learning course to teach HR staff the dangers of cyber attacks.