Snapchat has revealed it was targeted in a phishing attack by a scammer impersonating Evan Spiegal, the company’s co-founder and CEO.
The popular social network, which has raised more than $1 billion in funding, received an email last Friday requesting payroll data for employees. And, it seems, the payroll department didn’t notice it was a scam and duly divulged the information. Snapchat referred to the incident as “isolated” and admitted it was a single person within the company was responsible for the breach, insofar as they failed to spot the scam. The company statement reads:
“We’re a company that takes privacy and security seriously. So it’s with real remorse — and embarrassment — that one of our employees fell for a phishing scam and revealed some payroll information about our employees. The good news is that our servers were not breached, and our users’ data was totally unaffected by this. The bad news is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry.”
Snapchat is also quick to point out that its internal systems were not affected, none of its users’ data was breached, and it's already reported the attack to the FBI. It's also contacted current and ex-employees to offer identify-theft insurance and monitoring for two years.
Snapchat is the latest in a long line of companies that have been targeted by various forms of online hacks and attacks. While retail giant Target was one of the most high-profile victims in recent times, other smaller scale phishing attacks such as that experienced by SendGrid the previous year remind us how easy it is for a company’s reputation and security to be compromised — in SendGrid’s case, an employee’s account had been accessed by a cyberattacker and subsequently used to access the company’s in-house systems.
However, perhaps what’s most revealing about the Snapchat episode is the way in which the company has responded. It was essentially an internal incident that only impacted employees and previous employees at the company. Yet, Snapchat felt compelled to apologize publicly via its blog. However, why? With so several notable security breaches and lapses in recent times, Snapchat was clearly preempting negative publicity around this — by revealing what happened itself, without its hand being pushed by “rumors”, it can claim some form of moral high ground.
In other words, it not only acted swiftly to deal with the incident by contacting the affected employees and reporting it to the FBI, however, it's held its hands up and freely admitted its error to the world. Its statement concluded:
“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong. To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again.”