Popular image sharing platform Snapchat has admitted that sensitive employee payroll data was accessed by hackers after a member of staff fell victim to an email phishing scam impersonating the company's chief executive Evan Spiegel. Despite responding "swiftly and aggressively", Snapchat has been forced to contact a slew of employees past and present to let them know their financial details may have been compromised.
"It's with real remorse - and embarrassment - that one of our employees fell for a phishing scam and revealed some payroll information about our employees," the firm said in a blog post addressed to staff. "A number of our employees have now had their identity compromised. And for that, we're just impossibly sorry."
Sophisticated phishing scams remain a common threat to businesses of all sizes and are becoming increasingly targeted to individual employees. Traditionally, they are able to infiltrate a firm by posing as a legitimate email however, when opened, contain a malicious payload or virus.
In this instance, Snapchat said the employee targeted by the scam didn't recognise that it was a dodgy email and as a result payroll information was exposed on Friday 26February. However the firm stressed that no internal systems were breached, no user information was stolen and the relevant authorities have been notified.
"We're a company that takes privacy and security seriously. When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong," the statement continues. "To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again."
According to Jonathan Sander, vice president of product strategy at Lieberman Software, phishing scams are now an "everyday occurrence", adding that every type of business now needs to learn about the risks of common cyber-threats.
"The fact that Snapchat got snagged with this shows that being young, cool, and high tech doesn't protect you from being a phishing target," he explained. "Even people born into the internet, apps, and the cloud are clicking on bad links. That's very good news for attackers in case they were worried that millennials would put them out of the phishing business with their tech savviness.
"The unfortunate truth is that a phishing email helping a bad guy grab sensitive data is an everyday occurrence and we're only seeing so many headlines about it because of the name Snapchat being connected. If this was a trucking company in western Pennsylvania we wouldn't even know it happened. The damage to the employees would be every bit as real, though."
In a previous cyberattack in 2013, a major Snapchat database was hacked which left over four million user accounts exposed online. The hacker – using the pseudonym LightContact – initially posted the mass of account details to Reddit and a separate website called SnapchatDB.info.