Snapchat’s messages may disappear, but that doesn’t mean its employees want their personal data to do the same. When it comes to breaches, it’s not just consumers who can become victims — the inner workings of companies are at risk too. On Sunday, Snapchat disclosed that an employee “fell for a phishing scam and revealed some payroll information about our employees,” compromising the identities some of its current and former employees.
“Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our chief executive officer and asked for employee payroll information,” Snapchat explained in its blog post. “Unfortunately, the phishing email wasn’t recognized for what it was — a scam — and payroll information about some current and former employees was disclosed externally.”
Happily, the app insists, “None of our internal systems were breached, and no user information was accessed.”
This is by no means the first time that the company has had issues with hacks and breaches, though generally, they’ve affected users and not employees. In 2014, the ephemeral application leaked around 200,000 photos, though it passed the blame onto unofficial third-party apps. This time, however, the fault lies squarely on Snapchat, and only those closest to the company appear to be impacted.
While Snapchat hasn’t revealed exactly what sort of data was compromised, payroll information typically includes things like salary data, social security numbers, bank information, addresses, emails, and other forms of identification that could be combined to create quite the problem for Snapchat employees. The FBI has been alerted to the breach, and all affected employees are reportedly being offered two years of identity theft insurance and monitoring free of charge.
“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” Snapchat said in its blog post. “To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again.”