Facebook is garnering headlines for another data leak putting users’ privacy at risk. The latest incident involves the personal information of 533 million Facebook users from 106 different countries as apparently discovered by Alon Gal, co-founder and CTO of cybercrime intelligence firm Hudson Rock.
In an April 3 tweet, Gal said the data, which includes Facebook members’ account creation date, bio, birthdate, Facebook IT, full name, location, past location and relationship status, has been made available free to members of a hacking forum.
In a January 14 post, he said an early 2020 vulnerability which exposed the phone numbers linked to every Facebook account had been exploited and that a hacker had advertised a paid bot that would allow users to query the database. Facebook claims the data must have been scraped prior to September 2019, before the vulnerability was addressed.
Facebook has no plans to notify individuals whose information was exposed because the company claims it does not know who was affected. Despite the patch in September 2019, 419 million records were leaked which contained user IDs and phone numbers that same month. Then in December 2019, a Ukrainian researcher discovered a database on the open Internet which included the personal information of more than 267 million Facebook users.
Interestingly, in July 2019, the FTC announced that it had completed a year-long investigation and concluded that Facebook had “used deceptive disclosures and settings to undermine users’ privacy preferences” in violation of a 2012 FTC order. Specifically, third-party apps were allowed to collect the personal information of Facebook members whose friends had downloaded the apps.
According to the new 20-year settlement order:
- Facebook must pay a $5 billion fine which the FTC claims is unprecedented.
- Facebook’s board must form an independent privacy committee “removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy.”
- Zuckerberg and Facebook compliance officers must independently file certifications with the FTC quarterly which state the company is complying with the order.
- A third-party assessor must make biennial assessments of Facebook’s privacy program to identify any gaps and report to the new privacy board on a quarterly basis.
- The FTC can monitor Facebook’s compliance using discovery tools provided by the Federal Rules of Civil Procedure.
- Every new or modified Facebook, Instagram, or WhatsApps product, service or practice must undergo a privacy review before it’s implemented.
- If the data of 500 or more users has been compromised by a breach, the incident must be documented and shared with the FTC and the assessor within 20 days of the incident.
Other requirements can be found here, but yet another database of Facebook user information was just discovered.
Data privacy is a serious issue that organizations need to address proactively. While behemoths like Facebook can weather a $5 billion fine, lesser fines could be fatal to smaller organizations. A responsible approach to privacy should include:
- Privacy by design so the right guardrails are built into products and services.
- Penetration testing to identify weak areas.
- Patching to avoid unnecessary vulnerabilities.
- Board-level oversight to ensure that privacy is given the attention it deserves.
- Compliance officers or a compliance officer, depending on the size of the company, whose job it is to ensure compliance.
- Data governance to avoid data misuse.
- Continuous monitoring to prevent or minimize data exfiltration.
- Scenario planning in case a breach occurs.
- A plan to notify affected victims and law enforcement should a PII leak occur.
- Ongoing security awareness training for IT and non-technical personnel to reduce the risk of inadvertent mistakes.