Snapchat Privacy Blunder Piques Concerns About Insider Threats

Reading Time: 3 minutes

After a report found that Snap employees were abusing their access to Snapchat data, experts are warning that insider threats will continue to be a top challenge for privacy.

Snap, the company behind the popular Snapchat social media app, has found itself in hot water after a recent report revealed that Snap employees were abusing their access to private user data – which includes location data, saved Snaps and phone numbers.

According to a Thursday Motherboard report, Snap touted several internal tools enabling employees to access Snapchat users’ personal data. One such tool, dubbed SnapLion, was originally created to help collect data in response to law enforcement requests via court orders. However, several internal emails obtained by Motherboard showed several employees abused this capability, with one Snap employee looking up an email address for an account outside of a law enforcement situation, for instance.

The report raises several important questions about data privacy. While it may be inevitable that employees of companies have access to floods of data, companies face a serious challenge in preventing their own employees from abusing these privileges.

“As organizations grow, especially if they grow very quickly, it can be challenging to manage controls around customer privacy,” Tim Erlin, VP of product management and strategy at Tripwire, told Threatpost. “Consumers suffer from a lack of transparency in how their personal data is handled, managed and viewed after it leaves their proverbial hands. There is simply no way for me, as a consumer, to know who has access to my data once a company takes possession of it, and that fact leaves room for abuse to occur.”

This recent incident with Snap in particular raises concerns because of just how personal the data being collected is. That data includes saved Snaps themselves – photos or videos sent between Snapchat users that disappear after opened (but which can also be “saved” by the sender), location data, email addresses and phone numbers tied to accounts.

Specifically, the report raises questions about what types of restrictions Snap places on employee access to data and how it keeps track of that access. Snap for its part told Motherboard that it monitors all access to data, and limits access to the internal tools like SnapLion to only those who need it. According to the report, Snap does have a logging system that enables the company to track who uses systems and which data is accessed – but anonymous former employees told Motherboard that the logging isn’t perfect.

George Wrenn, CEO of CyberSaint Security, told Threatpost, organizations like Snap with widespread data access must be extremely careful when standardizing, measuring, and especially communicating the depth and breadth of their privacy and data protection programs.

“Clear communication and management from the board level down to every employee is key to the success and scalability of companies such as these,” he said. “Moving forward, it will be necessary for success as systems become more complex, and as personal data protection and privacy continue to shift to the forefront of our country’s concern.”

Insider threats continue to be a top concern across the industry. In fact, according to the Verizon Data Breach Investigations Report from this year, “privilege misuse and error by insiders” account for 30 percent of breaches.

And it’s not just Snap – a report last year found that Facebook had fired an employee who allegedly abused their access to data to stalk women.

Willy Leichter, vice president of marketing at Virsec, told Threatpost, that arguably, too much cyber privacy discussion is around egregious breaches or external leaks of private data rather than internal employee incidents.

“While [external leaks] are newsworthy, the broader question is how much trust we put in online services to whom we’ve voluntarily given information,” said Leichter. “Privacy regulations like the GDPR do have requirements for minimizing use of personal data to specific authorized activities, but oversight and enforcement of internal abuse rarely exists. The temptation for abuse is just too great for online services that monetize data to find creative ways to go over the line.”

This article was originally published by Threatpost.