Snapchat employees were abusing their power to spy on users. Employees used internal tools to access private user data. They were able to see location, saved Snaps, phone numbers, emails address, and other personal information.
Four former employees and one current employee disclosed this information to Motherboard, telling them that employees at Snapchat were accessing user data. Further, internal company emails describe the abuse and information about the internal tool used to spy on users.
The tool, SnapLion, was created to collect data in response to law enforcement requests, like subpoenas and court orders. Snap’s ‘Spam and Abuse’ team, ‘Customer Ops’, and Security staff have access to the tool. Instead, employees with access to the tool abused their access to obtain user data.
One former employee said that SnapLion gives “the keys to the kingdom’. Another employee said that user data was accessed ‘a few times’. Others said that more than one employee abused their power. Several internal emails obtained by Motherboard, show that employees used SnapLion to look up emails outside of law enforcement circumstances.
Snapchat has strict access controls and tries to ensure user privacy, however, it is important to remember that employees work on the application behind the scenes. Motherboard stated in their article:
“behind the products we use everyday there are people with access to highly sensitive customer data, who need it to perform essential work on the service. But, without proper protections in place, those same people may abuse it to spy on users’ private information or profiles.”
Additionally, Snapchat has responded to the violations stating:
“Any perception that employees might be spying on our community is highly troubling, and wholly inaccurate. Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have, including data within tools designed to support law enforcement. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.”
If you believe you organization has been targeted by an Insider Threat, contact LIFARS today.