Snapchat sent out a letter to its employees, apologizing for exposing payroll information after a phishing scam succeeded.
On Friday, a scammer impersonating Chief Executive Evan Spiegel requested personal information about the payrolls of about 700 employees of Snapchat. One worker from the payroll department offered information on ex and current employees of the company, before realizing the hoax.
The employee who felt for the scheme leaked confidential information, such as benefits, wages, stock-options, names, Social Security numbers and W-2 tax form data. About 15 minutes after dispatching the information, the worker realized that the request was fishy and verified the accuracy of the original request with Spiegel, but the Snapchat leader denied sending the request.
Snapchat reports that it received over 400 legal requests concerning user data in four months, which means that the company gets an average of 100 requests per month, or more than three per day.
On Sunday night, the company released an apology letter. Snapchat offers compensations to those affected, in multiple forms.
"The affected employees were offered two years of free identity-theft insurance and monitoring," the company says.
Snapchat notified the FBI, which is currently looking into the phishing scam.
According to the company, there were zero breaches in its servers and all users' data are safe and untouched. Snapchat apologized for the fact that employees' data were compromised.
"A number of our employees have now had their identity compromised. And for that, we're just impossibly sorry," Snapchat notes.
The company commits to preventing such an unfortunate incident from ever happening again.
A number of separate studies showed that when it comes to enterprise data breaches, phishing and other social engineering tactics are among the first culprits.
Regardless of the number of firewalls and IT defense systems deployed by companies, hackers are crafty enough to trick employees into releasing data in response to realistic messages. Another method of messing with the data corporate entities is to send malicious links to its workers and make sure they click on them.
It is not uncommon for firms to have software and additional security filters that keep certain information from being sent outside internal networks. Many of them, such as Snapchat, include extensive security training for employees. This means that so-called "phishing drills" are executed so that workers learn first-hand what threats and suspicious activities look like.
"We will redouble our already rigorous training programs around privacy and security in the coming weeks," the apology letter reads.
The company refused to publish the phishing email because of the ongoing law enforcement investigation.
Snapchat is one brand that puts a lot of emphasis on cyber security. This is due to the large number of users who tap into the entertainment app each day. The company's figures show that over 100 million people send sensitive photos and videos (of themselves) every day.
It should be mentioned that Snapchat faced security issues in the past. In 2013, hackers found an exploit that caused the names and phone numbers of about 4.6 million users getting compromised. After the incident, the company promised significant boosts in security.
One of the main reasons Snapchat is so popular is the privacy that the app offers its users. The key to this is that the pictures sent via Snapchat will self-delete after a while.