[BreachExchange] The human problem at the heart of Snapchat’s employee data breach

[Audrey McNeil]

https://www.washingtonpost.com/news/the-switch/wp/2016/03/01/the-human-problem-at-the-heart-of-snapchats-employee-data-breach/

Snapchat says it's "just impossibly sorry" for a recent data breach that
exposed payroll information of some current and former employees on Friday.

The Snapchat data wasn't stolen by a coding mastermind who penetrated the
company's servers using some unknown flaw. Instead, it was stolen by an
attacker who exploited a much simpler, more human vulnerability: trust. The
attacker pretended to be Snapchat chief executive Evan Spiegel and tricked
an employee into emailing over the information, according to a blog post
the company posted Sunday about the incident.

Roughly 700 current or former employees had information including their
names, Social Security numbers and wage data compromised in the attack,
according to the Los Angeles Times. Snapchat declined to confirm those
details to The Washington Post or to comment further beyond the blog post.

The incident highlights one of the biggest challenges for companies
struggling to protect sensitive information: Even if your technical
security is up to snuff, your people may let you down.

It's no secret that people make bad security choices. Just look at the
laughably bad passwords like "123456" and "password" that keep showing up
in breached data troves. But companies are, of course, made up of people --
people who can make the same type of mistakes in the workplace that they
make in their personal digital lives.

In fact, the "human element" was the root cause of more than half of
security breaches according to a 2015 report from tech trade association
CompTIA. Yet that same report, which was based on surveys of hundreds of
U.S. business executives and technology professionals, suggests that
companies may not be doing enough to prepare their workers for a world
where a new scam might be in their inbox everyday.

Despite the scope of the problem, only 30 percent of companies rated the
"human element" as a serious concern -- and just 54 percent offered some
sort of cybersecurity training, most often as part of new employee
orientation or an annual refresher course, according to the report.

The Snapchat case is a good reason why it's important for companies to
think about their people as a key part of keeping their data safe. Just ask
the social network, which is now working with the FBI to investigate the
employee data breach and providing two years of identity theft protection
to those affected.

"When something like this happens, all you can do is own up to your
mistake, take care of the people affected, and learn from what went wrong,"
the company said in the blog post. "To make good on that last point, we
will redouble our already rigorous training programs around privacy and
security in the coming weeks."

Snapchat had security woes in the past. A few years ago, a bug left the
usernames and phone numbers of users exposed -- and one group exploited it
to release information about 4.6 million accounts, apparently in an effort
to highlight the company's lax security practices. But the latest breach
only affected current and former employees, according to the blog post.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160301/ee3f67b0/attachment.html>