The popular social network, Snapchat, recently had a major data leak. It wasn’t from a software vulnerability or poor security on its network. Instead, the main root cause for the breach was a naïve employee. Snapchat released a statement that it apologizes for exposing social security numbers and payroll information for approximately 700 former and current employees.
The attack was a social engineering threat not unlike others that occurred in recent years. The attacker called a Snapchat employee and pretended to be the CEO, Evan Spiegal. He then convinced the employee to send private payroll details of 700 employees through email. The social engineering hack displays how easy it is for hackers to gain access to sensitive data without writing one bit of source code.
In 2015, social engineering was behind half of the major breaches, and it continues to be a favorite for attackers. It doesn’t require a high amount of technical expertise, so hackers are no longer forced to spend days finding a security hole in corporate firewalls or applications.
As a matter of fact, the biggest risk within an organization is employees. In a recent CompTia report, only 30% of businesses reported human error as a major concern and only 54% offered any type of user security awareness training. Because organizations are slow to adopt security awareness, social engineering and phishing attacks are prominent in the hacking community. Not only are the popular, but they are extremely effective.
This isn’t the first time Snapchat has had security issues. It was hacked due to a bug in its software and 4.6 million accounts were exposed and released to the public. The social engineering attack is the second time Snapchat lost data, but the data released was far more critical and easier for the attacker.
Snapchat’s unfortunate data leak is just one more reason companies must monitor suspicious traffic and educate employees on the signs of a social engineering and phishing attack. While the employee might not be malicious, it still leaves them as the number one target for these types of attacks. Since most users are unaware of the signs, it’s still a common and easily exploitable route for hackers.
Whether it’s monitoring systems or employee awareness, businesses that improve employee education have much fewer risk factors than those that disregard employee security as a concern. Monitoring, education, awareness, and notifications for suspicious network activity are key to prevent critical data loss.