Snapchat’s Employee Data Breach: What Can We Learn?

The video-messaging giant Snapchat recently announced on their blog that they have suffered a data breach that lost the personal information of roughly 700 of their current or former employees.

Names, social security numbers, and wage data were compromised in the breach. While it is fortunate that no user data was stolen, cybercriminals are in a good position to commit identity fraud/ theft with just the three types of data that were lost.

What’s interesting is how hackers managed to get their hands on the data. The attacker pretended to be Snapchat Chief Executive Officer Evan Spiegel and tricked an employee into sending sensitive employee information to him.

So, it was not through exploiting a zero-day vulnerability or even through a piece of brilliant coding — they just sent a really, really convincing email.

And it’s hard to not feel incredibly vulnerable when you think that your million-dollar cybersecurity efforts could be rendered entirely useless by one gullible employee.

Phishing: It’s as Easy as Shooting Fish in a Barrel

Snapchat is not the first phishing victim, and it certainly isn’t going to be the last – phishing attacks are both incredibly common and successful. 

Sometimes phishing attacks are relatively simple, like what happened in the Snapchat incident. Other times, they can be much more nefarious and potent, like Anthem Inc. discovered last year when they lost millions of healthcare records to hackers who stole the credentials of Anthem employees through phishing schemes.

The Morning-After Pill

Snapchat was quick to detect the breach, discovering the incident four hours after it took place. They then detected which employees had been affected by the breach, and offered them two years of free identity-theft insurance and monitoring.

Snapchat also mentioned that they already have training programs around privacy and security in place and that they will be redoubling on their efforts to make sure their staff are able to recognize and fight back against phishing attacks.

Another control against phishing attacks would be making sure that your business has a strong identity and access management program. Digital identities should be clearly verified so that no users can get confused by impersonators with slightly different email addresses.

The threat of phishing is very real, but it can definitely be beaten with a good mix of educated skepticism, and a healthy dose of common sense.