Snapchat has revealed it was targeted in a phishing attack by a scammer impersonating Evan Spiegel, the company’s cofounder and CEO.
The popular social network, which has raised more than $1 billion in funding, received an email last Friday requesting payroll data for employees. And, it seems, the payroll department didn’t notice that it was a scam and duly divulged the information.
Snapchat referred to the incident as “isolated” and said a single person within the company was responsible for the breach — insofar as that individual failed to spot the scam. The company’s statement reads:
We’re a company that takes privacy and security seriously. So it’s with real remorse — and embarrassment — that one of our employees fell for a phishing scam and revealed some payroll information about our employees. The good news is that our servers were not breached, and our users’ data was totally unaffected by this. The bad news is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry.
Snapchat is quick to point out that its internal systems were not affected, none of its users’ data was breached, and it has already reported the attack to the FBI. It has also contacted current and former employees to offer identify-theft insurance and monitoring for two years.
Snapchat is the latest in a long line of companies that have been targeted by various forms of online hacks and attacks. While retail giant Target was one of the most high-profile victims in recent times, other smaller scale phishing attacks, such as that experienced by SendGrid last year, remind us how easy it is for a company’s reputation and security to be compromised. In SendGrid’s case, an employee’s account was accessed by a cyber attacker and subsequently used to access the company’s in-house systems.
However, what’s perhaps most revealing about the Snapchat episode is the way in which the company has responded. It was essentially an internal incident that only impacted employees and former employees at the company. Yet, Snapchat felt compelled to apologize publicly via its blog. But why? With so many notable security breaches and lapses in recent times, Snapchat was clearly preempting negative publicity around this — by revealing what happened voluntarily, without letting its hand be forced by “rumors,” it can try to claim some form of moral high ground.
In other words, Snapchat not only acted swiftly to deal with the incident by contacting the affected employees and reporting the situation to the FBI, it has freely admitted its error to the world. “When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” the statement continued. “To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again.”