“Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses,” Motherboard wrote on May 23.
Whether accurate or not, “the incident highlights the risks posed by insider threats. Most of the employees are busy doing their day-to-day jobs but a handful have malicious intent thus causing harm to the organizations they work for,” said Mayank Choudhary, senior vice president at ObserveIT.
“As in the case of Snapchat where a few users with elevated access were able to take their own and consumers’ data easily. Existing security controls did not pick this up, given most of the technology is focused on protecting the company from external threats. It’s high time that organizations focus on insider threats with platforms that help customers known the whole story, protect IP quickly, easily and reliably.”
However, the Motherboard report states that how any access might have been abused or which system was used remains unknown. Pointing out that the spying happened ‘several years ago,’ the story does note that one tool, SnapLion, is capable of accessing user data, according to multiple anonymous sources.
“Any perception that employees might be spying on our community is highly troubling and wholly inaccurate,” a Snapchat spokesperson wrote in an email to Infosecurity.
“Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have, including data within tools designed to support law enforcement. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.”
Source: Infosecurity Magazine