With Facebook having to inform more than a staggering 530 million users that they were exposed to a data breach in 2019, some criticism for the company about the breach has prompted some to ask just what is happening?
It has been reported that in 2019, the ‘scraped’ details of 530m Facebook users were exposed on a hacker’s forum. The stolen dataset, including details from users in 106 countries, is reported to have included phone numbers, Facebook IDs, (full) names and birthdates, but not financial information, health information or passwords. This ‘old’ data is reported to have recently been made publicly available again in an unsecured database.
According to Facebook, before 2019, a simple bug in its Contact Importer code allowed hackers to access part of an unprotected server in the company’s systems and to ‘scrape’ user profile data.
The database that appeared to contain scraped details of the Facebook users was originally discovered online in September 2019, just one day after it was known to have been taken. At the time, it was reported that most of the data came from US users but that 18 million records were from UK users.
Facebook appears to place the blame on the ‘malicious actors’ and puts it down to the “adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.” Facebook has made it clear that this story is not about a recent hack of its systems but rather is old news, and old data and that back in 2019, after the scraped dataset was posted online, Facebook made changes to the contact importer to stop the software from being used in future to imitate the app and upload a large set of phone numbers to see which ones matched Facebook users.
With the trust-damaging Cambridge Analytica data still casting a shadow over Facebook, the re-surfacing of this scraped data online last weekend and Facebook’s apparent attitude to it has drawn a good deal of criticism including:
– An initial silence from Facebook after the Business Insider article highlighted the breach. For example, Ireland’s Data Protection Commission (DPC) saying that it had received no communication from Facebook over the weekend when the breach was announced.
– The fact that although Facebook may see this as old data, this vast quantity of data may still have a use for cybercriminals. For example, any stolen phone numbers that can be connected with email addresses could still be used to obtain an SMS code to login to their email account (SIM-swapping to redirect SMS-based codes to hackers’ devices). The stolen data may also be used for other disruptive activities such as spam calls.
– Facebook may not have notified users whose data had been stolen and may still be unlikely to. There is no simple way for these users to tell if, and/or how seriously they have been affected, if their data has been passed on/sold on/used in other attacks. Users who may have had their details stolen could well have the same details as those 3 years ago, may not have changed any details and may, therefore be at risk of other attacks at any time.
– Criticisms of an apparent culture of impunity and a questionable attitude to customers data privacy and security at Facebook through its dismissal of the 533 million people’s data as being essentially old news that they couldn’t really do anything about, simply saying that it is now “publicly available”.
– Questions over whether, under GDPR, Facebook does still have a responsibility to inform users whose data has been stolen and criticism that Facebook should be doing more to respond to European regulators and not just American ones.
– That Facebook may have more antitrust questions to answer in Washington and that there now needs to be more transparency, accountability, and regulation of the activities and privacy/security measures taken by big social media companies, and that these companies must somehow be made to act more responsibly in several areas, including data protection.
– That the market dominance and apparent monopoly position by Facebook (it owns platforms Instagram and WhatsApp) has enabled these privacy and security issues to keep happening.
What Can You Do?
One of the few things that users can do to see if their details have been taken in this or other known leaks/attacks is to check on the HaveIBeenPwned website.
What Does This Mean For Your Business?
The staggering size of this breach coupled with what many have seen as an unsatisfactory response from Facebook, on top of the company’s history with data privacy and security (e.g. the Cambridge Analytica scandal) have seen the social media giant come back under the spotlight once again with many calling for greater accountability (particularly to European regulators). This will, no doubt, be another blow to user trust and could fuel action in Washington, adding new momentum to the whole antitrust battle and what to do with a dominant social media giant to stop this kind of thing from happening. For users, as individuals and those with business pages, and those users of Instagram and WhatsApp, it’s a case of not really knowing if their data has been stolen and sold on (apart from proactively checking on a website) and feeling relatively powerless in their relationship with the social media giant as regards their data privacy security, and the company’s apparent attitude to it. Many may feel that pressure at state level, government questions, and tougher action from regulators may be the only real way to force changes in such a powerful company.