Snapchat Data Breach Caused by Phishing Email

Once upon a time, the content of phishing emails was amusing, if not downright bizarre. These emails included odd stories about deposed royalty from far-off countries, people who barely managed to escape with their lives… and their billions of dollars.

For some inexplicable reason, they couldn’t get the money out of the country themselves, so in exchange for letting them deposit the money into your account (they’re outrunning the coup, but have time to stop off at the bank and transfer the money to you), they would let you keep a lot of it for your trouble.

The so-called Nigerian prince emails—nicknamed that due to the typical story involving Nigerian royalty—have now worked their way into urban legend and pop culture. But what happens when the email isn’t so funny, and the consequences for following through with the instructions are life-altering for a lot of people?

That’s exactly what happened to the employees at popular social media site Snapchat. Unfortunately, an employee received a phishing email, one that even some of the most scam-aware people might not immediately recognize. Instead of Nigerian princes and unbelievable offers of shared millions, the email appeared to come from the company CEO, and the request wasn’t all that outrageous…just forward him the payroll information for all of the employees. It’s easy to understand why, especially here at tax time, an executive of a relatively small company might need that information.

While Snapchat was very quick to point out that its users’ information was not accessed in this breach, their employees’ identities have now been compromised. Unfortunately, even the most heartfelt apology from the company won’t undo that, although they will receive two years of free credit monitoring, more than most corporations provide to employees or customers following a data breach.

There is a silver lining in this event, although it’s slight: when large-scale data breaches like this one first began to make headlines, the timeline was often far more serious. A breach that happened over a long period of time might not even get noticed until months afterwards, and then another long stretch of time passed while they investigated the extent of the breach, usually before ever alerting the authorities or the customers. In this event, the FBI was called four hours after the email was sent to the criminal masquerading as the CEO. If any good can be said to come from this, it does serve as an example to other companies of how to handle a breach or hacking event quickly, as well as speaks to the need for even more in-depth training and awareness of security threats.

So what could the employees have done to prevent their information from being shared with an identity thief? Literally nothing. They were required to turn over their information in order to be employed, so withholding personal identifiable information wouldn’t have applied in this instance, at least not in the way the public is warned never to share their Social Security numbers with schools or medical offices, for example. They also were not aware of the phishing attack, so they couldn’t have prevented that, either.

What employees in every industry and field can do, however, is to make sure their companies are providing training on data breaches, hacking attempts, phishing attacks, and more. Speak up by alerting your supervisors to the need for security protocols and up-to-date, periodic security training. The only things that could have prevented this breach are better awareness of the threats and a company policy about seeking verification before fulfilling an exceptional request, and those are avenues that Snapchat has promised to explore moving forward.

 

ITRC Sponsors and Supporters 

 

 

 

 

Go to top

 

The TMI Weekly

Breaches here, identity theft there and invasions of privacy everywhere... Should you be worried and, if so, how can you protect yourself? Sign up now to receive The TMI Weekly and get the latest hot topics in identity theft, data breaches and privacy and helpful information on how to protect your information.