John Russell reports that a number of Snapchat’s current and former employees had their payroll information stolen after an employee fell for what has become a common attack known as BEC (Business Email Compromise). In BEC, a scammer poses as a corporate executive and sends an email requesting payroll or customer data.
“Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information,” Snapchat explained in a blog post. “Unfortunately, the phishing email wasn’t recognized for what it was — a scam — and payroll information about some current and former employees was disclosed externally.”
Read more on TechCrunch.
Snapchat’s full statement, posted yesterday on their blog:
An Apology to Our Employees
We’re a company that takes privacy and security seriously. So it’s with real remorse–and embarrassment–that one of our employees fell for a phishing scam and revealed some payroll information about our employees. The good news is that our servers were not breached, and our users’ data was totally unaffected by this. The bad news is that a number of our employees have now had their identity compromised. And for that, we’re just impossibly sorry.
Here’s what happened: Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information. Unfortunately, the phishing email wasn’t recognized for what it was–a scam–and payroll information about some current and former employees was disclosed externally. To be perfectly clear though: None of our internal systems were breached, and no user information was accessed.
Needless to say, we responded swiftly and aggressively. Within four hours of this incident, we confirmed that the phishing attack was an isolated incident and reported it to the FBI. We began sorting through which employees–current and past–may have been affected. And we have since contacted the affected employees and have offered them two years of free identity-theft insurance and monitoring.
When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong. To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again.
Team Snapchat
“Mistakes” like these would happen a lot less if employees were properly trained to review the email addresses before responding to them. If the data was released “externally” then there may have been some telltale signs of the external email address either in the message header or its source information. Too many employees have the bare minimum of computing skills; often lacking the skills needed to help themselves protect not only their information but the information of colleagues and clients.
Doubling your efforts on something that did not work the first try is probably going to produce the same effect. Employee’s eyes glaze over at the same ole’ training over and over again. Some are done via mandatory fun in warm conference rooms that would challenge even the most savvy Bushido warrior to stay awake. Others send multitudes of emails with tips on how to get a grip with security issues. Most of these are glanced at and deleted.
Offer a fresh new way to train / re-train personnel. There are suites designed to send the workforce phishing emails, when clicked on, tell them of their epic failure, and they must go through some sort of remedial training program. Another is to set up a signed non disclosure group that has access to a code word that must accompany all emails that deal in financial or PII of any nature. If the codeword is not present in the email or communication directly, it is considered suspect. Change the code word periodically like once a month or quarter.
One of the “O’s” need to stand up and say it is OK to ask if the request is valid. Introduce people to the way paperwork flows within the company, who has authority to approve and deny info. People knowing who to ask about questionable emails or phone calls is vital.
People are reluctant to tell the caller, “I will need to research this data. Do you have a contact number I can call you back when I am done?” You’d be surprised how many crooks trying to balk at their social engineering skills when they are put on the spot. People often fall (Fail?) for feeling comfortable and giving up the information requested, even though the customer service personnel are clearly in the wrong.
Make the employees find news articles that show detailed information about a security breach that happened over the last year. No two entries can be the same. There are plenty to choose from. Hopefully they do not use themselves in the event.
There are a TON of different ways to make security awareness work. have a sit down meeting with the “O”, IT managers, IT leads, IT security, financial and legal entities and pick a potential solution.