DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Snapchat “just impossibly sorry” after employee payroll data compromised in BEC scam

Posted on February 29, 2016 by Dissent

John Russell reports that a number of Snapchat’s  current and former employees had their payroll information stolen after an employee fell for what has become a common attack known as BEC (Business Email Compromise). In BEC, a scammer poses as a corporate executive and sends an email requesting payroll or customer data.

“Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information,” Snapchat explained in a blog post. “Unfortunately, the phishing email wasn’t recognized for what it was — a scam — and payroll information about some current and former employees was disclosed externally.”

 

Read more on TechCrunch.

Snapchat’s full statement, posted yesterday on their blog:

An Apology to Our Employees

We’re a company that takes privacy and security seriously. So it’s with real remorse–and embarrassment–that one of our employees fell for a phishing scam and revealed some payroll information about our employees. The good news is that our servers were not breached, and our users’ data was totally unaffected by this. The bad news is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry.

Here’s what happened: Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information. Unfortunately, the phishing email wasn’t recognized for what it was–a scam–and payroll information about some current and former employees was disclosed externally. To be perfectly clear though: None of our internal systems were breached, and no user information was accessed.

Needless to say, we responded swiftly and aggressively. Within four hours of this incident, we confirmed that the phishing attack was an isolated incident and reported it to the FBI. We began sorting through which employees–current and past–may have been affected. And we have since contacted the affected employees and have offered them two years of free identity-theft insurance and monitoring.

When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong. To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again.

Team Snapchat

Related posts:

  • New York City Man Pleads Guilty To Illegally Accessing Hundreds Of Snapchat Accounts And Sending Nude Photos
  • Victims of W-2 phishing scams (2017 list)
  • 74 Arrested in Coordinated International Enforcement Operation Targeting Hundreds of Individuals in Business Email Compromise Schemes
  • Previously Extradited Nigerian National Sentenced For Role In Multimillion-Dollar Business Email Compromise Schemes Targeting Educational Institutions And Businesses in North Carolina and Texas
Category: Business SectorOtherPhishingU.S.

Post navigation

← Some Time Warner Business Class customer data hacked and dumped by TeaMp0isoN
HIPAA Covered Entities Not Responsible For Intercepted Transmission of PHI When Individual Requested Unsecured Transmission, Office for Civil Rights Concludes →

2 thoughts on “Snapchat “just impossibly sorry” after employee payroll data compromised in BEC scam”

  1. R.J. says:
    February 29, 2016 at 8:03 pm

    “Mistakes” like these would happen a lot less if employees were properly trained to review the email addresses before responding to them. If the data was released “externally” then there may have been some telltale signs of the external email address either in the message header or its source information. Too many employees have the bare minimum of computing skills; often lacking the skills needed to help themselves protect not only their information but the information of colleagues and clients.

  2. IA Eng says:
    March 1, 2016 at 1:03 pm

    Doubling your efforts on something that did not work the first try is probably going to produce the same effect. Employee’s eyes glaze over at the same ole’ training over and over again. Some are done via mandatory fun in warm conference rooms that would challenge even the most savvy Bushido warrior to stay awake. Others send multitudes of emails with tips on how to get a grip with security issues. Most of these are glanced at and deleted.

    Offer a fresh new way to train / re-train personnel. There are suites designed to send the workforce phishing emails, when clicked on, tell them of their epic failure, and they must go through some sort of remedial training program. Another is to set up a signed non disclosure group that has access to a code word that must accompany all emails that deal in financial or PII of any nature. If the codeword is not present in the email or communication directly, it is considered suspect. Change the code word periodically like once a month or quarter.

    One of the “O’s” need to stand up and say it is OK to ask if the request is valid. Introduce people to the way paperwork flows within the company, who has authority to approve and deny info. People knowing who to ask about questionable emails or phone calls is vital.

    People are reluctant to tell the caller, “I will need to research this data. Do you have a contact number I can call you back when I am done?” You’d be surprised how many crooks trying to balk at their social engineering skills when they are put on the spot. People often fall (Fail?) for feeling comfortable and giving up the information requested, even though the customer service personnel are clearly in the wrong.

    Make the employees find news articles that show detailed information about a security breach that happened over the last year. No two entries can be the same. There are plenty to choose from. Hopefully they do not use themselves in the event.

    There are a TON of different ways to make security awareness work. have a sit down meeting with the “O”, IT managers, IT leads, IT security, financial and legal entities and pick a potential solution.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.