Snap, the company behind the popular Snapchat social media app, has found itself in hot water after a recent report revealed that Snap employees were abusing their access to private user data – which includes location data, saved Snaps and phone numbers.
According to a Thursday Motherboard report, Snap touted several internal tools enabling employees to access Snapchat users’ personal data. One such tool, dubbed SnapLion, was originally created to help collect data in response to law enforcement requests via court orders. However, several internal emails obtained by Motherboard showed several employees abused this capability, with one Snap employee looking up an email address for an account outside of a law enforcement situation, for instance.
The report raises several important questions about data privacy. While it may be inevitable that employees of companies have access to floods of data, companies face a serious challenge in preventing their own employees from abusing these privileges.
“As organizations grow, especially if they grow very quickly, it can be challenging to manage controls around customer privacy,” Tim Erlin, VP of product management and strategy at Tripwire, told Threatpost. “Consumers suffer from a lack of transparency in how their personal data is handled, managed and viewed after it leaves their proverbial hands. There is simply no way for me, as a consumer, to know who has access to my data once a company takes possession of it, and that fact leaves room for abuse to occur.”
This recent incident with Snap in particular raises concerns because of just how personal the data being collected is. That data includes saved Snaps themselves – photos or videos sent between Snapchat users that disappear after opened (but which can also be “saved” by the sender), location data, email addresses and phone numbers tied to accounts.
Specifically, the report raises questions about what types of restrictions Snap places on employee access to data and how it keeps track of that access. Snap for its part told Motherboard that it monitors all access to data, and limits access to the internal tools like SnapLion to only those who need it. According to the report, Snap does have a logging system that enables the company to track who uses systems and which data is accessed – but anonymous former employees told Motherboard that the logging isn’t perfect.
George Wrenn, CEO of CyberSaint Security, told Threatpost organizations like Snap with widespread data access must be extremely careful when standardizing, measuring, and especially communicating the depth and breadth of their privacy and data protection programs.
“Clear communication and management from the board level down to every employee is key to the success and scalability of companies such as these,” he said. “Moving forward, it will be necessary for success as systems become more complex, and as personal data protection and privacy continue to shift to the forefront of our country’s concern.”
Insider threats continue to be a top concern across the industry. In fact, according to the Verizon Data Breach Investigations Report from this year, “privilege misuse and error by insiders” account for 30 percent of breaches.
And it’s not just Snap – a report last year found that Facebook had fired an employee who allegedly abused their access to data to stalk women.
Willy Leichter, vice president of marketing at Virsec, told Threatpost, that arguably, too much cyber privacy discussion is around egregious breaches or external leaks of private data rather than internal employee incidents.
“While [external leaks] are newsworthy, the broader question is how much trust we put in online services to whom we’ve voluntarily given information,” said Leichter. “Privacy regulations like the GDPR do have requirements for minimizing use of personal data to specific authorized activities, but oversight and enforcement of internal abuse rarely exists. The temptation for abuse is just too great for online services that monetize data to find creative ways to go over the line.”
Snap, for its part, didn’t respond to a request for comment from Threatpost.
Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.