ThreatPost, May 24, 2019, with comments by Willy Leichter
Report finds Snap employees misused privileges of internal SnapLion tool to access Snapchat user data; experts warning that insider threats a top challenge for privacy
In Q3 of 2018, Snapchat had 186 million users. SnapChat’s mother company - Snap – is on the defensive after last week’s report that Snap employees abused the access privileges they had to those user’s accounts. They violated SnapChat user’s privacy by not just accessing but actually spying on their data – including location data, phone numbers and saved Snaps.
One of the tools they used, SnapLion, was initially designed to collect data for law enforcement requests and court orders. But researchers discovered some employees were taking advantage of the tool, going outside the purpose of law enforcement to collect information like email addresses for personal reasons.
Organizations have valid reasons for giving their employees the capability of accessing volumes of user information. But they are severely challenged when it comes to trying to prevent all of those employees from violating their privileges. The employees who spied on users accessed information that was potentially quite personal. The information included saved Snaps, which contain photos and videos exchanged between users. These photos and videos self delete after they are opened, but senders have the ability to save them. The employee-spies also accessed location, email, and phone numbers on the user accounts.
Along with frustration and concern, the report is raising a lot of eyebrows and questions. Perhaps it makes sense for Snap not to allow as much access as it has. And, Snap should potentially increase its tracking and restrictions on employees’ access to data. The report reveals that Snap already has some restrictions in place – such as a log-in system that allows companies to track who uses the system and how closely they’re able to track their users. Snap has also claimed it already provides data monitoring and restricts access to internal tools, like SnapLion, to those who profess to really need it.
Other security measures Snap has put in place include requiring users to log into a system the enables the company to track users, systems and data on the fly, as well as what data is accessed. But former employees have reported the logging tool isn’t foolproof. But clearly this wasn’t at all sufficient to prevent this major violation.
Insider threats are attacks that organizations are constantly worried and on guard about. Such threats are an increasing concern industry-wide, confirmed by the recent Verizon Data Breach Investigation Report (VBIR). The report, published this month, says “privilege misuse and error by insiders account for 30 percent of breaches.” See our article, The 2019 Verizon Data Breach Investigative Report Is Out – Shows Major Perimeter Weaknesses for Enterprises.
Another even bigger social media company – Facebook – is also on the hook for many privacy violations. They are currently involved in several investigations (see our articles below) for breaching user privacy. But a year ago, they too had an insider issue where they had to fire an employee for using data access privileges to stalk women online. A former Facebook employee reported that several employees had been terminated for similar behavior, including abusing access to user information and stalking executives.
Willy Leichter, vice president of marketing at Virsec, told Threatpost, that arguably, too much cyber privacy discussion is around egregious breaches or external leaks of private data rather than internal employee incidents.
“While [external leaks] are newsworthy, the broader question is how much trust we put in online services to whom we’ve voluntarily given information,” said Leichter. “Privacy regulations like the GDPR do have requirements for minimizing use of personal data to specific authorized activities, but oversight and enforcement of internal abuse rarely exists. The temptation for abuse is just too great for online services that monetize data to find creative ways to go over the line.”
Read full Snapchat blunder piques concerns article.
Further resources
White paper: White Paper: Why Web Application Firewalls Are Not Enough
Newsletter: Latest issue
Web Application Security: Product page
Blogs: