The 25 September Facebook data breach, suspected to have impacted around 90m user accounts is a wakeup call for social media users and the technology sector.
Facebook originally suspected up to 90m compromised user accounts, however on October 12 revised that figure down to ‘about 30m people’ and in the process confirmed it included personal and sensitive information of the users.
For users, it is yet another stark example of the fragility of our personal and private lives many so willingly share on social media. This sophisticated attack allowed hackers to steal Facebook access tokens to take over people's accounts. Access tokens are the equivalent of digital keys, they keep users logged in and remove the need to re-enter their password every time they use the app.
The access token concept and the "log in with Facebook" button found on so many sites has created password and security complacency amongst users. We've placed trust in Facebook to manage the security of our private data to such a degree we've become security lazy!
For the technology sector there are some very sobering lessons that a breach of this size indicates, including:
Failure to understand how technology designed to work on an individual level could be exploited or repurposed when scaled up to apply to millions.
No one involved in the development and deployment of this technology stopped to rethink their approach.
Organisations have not changed their attitudes and approaches regarding the use of our data, many organisations still think it is their data – it is not.
Designers and developers are still not embedding the privacy by default approach.
Experience tells us investigating a breach of this size is a very complex and time consuming activity. At the very least, this may prove to be the first major test of the General Data Protection Regulation (GDPR) introduced by the European Union in May 2018, with a potential fine of up to £1.25bn
There will be no quick answers for users who are trying to understand what has happened to their data. Disappointingly, Facebook has said that it will not provide free identity theft protection to breach victims. Such services watch for signs that an identity thief may be using your personal information and help you deal with the effects of identity theft if it happens. This is a common offering in the wake of massive data breaches – with Sony, Anthem and Orbitz offering this service to impacted users.
Facebook’s unwillingness to provide something similar is a clear data breach response misstep – and because of this they have missed the opportunity to demonstrate they really care about their users, user data and online identities. For companies using personal and sensitive data the outcomes of any regulatory investigations will be very interesting and a sign post to the future so they should watch this space with interest.
Protecting yourself online
Every user of every social media network should stop for a moment and think about their online activity and to whom they entrust the security and use of their personal and private data. Users should also change some passwords and enable multi factor authentication – this is increasingly commonplace with Australia’s MyGov and many online banking apps requiring a log-in and a code sent to the user’s mobile phone for added security.
Impacted users from the recent Facebook hack can expect to experience a higher degree of crafted, convincing phishing emails and SMS for quite some time to come and there is little they can do about it. A spam campaign based on a large amount of accurate and detailed data is very profitable for the spammers. Vigilance, and always testing the validity of communications – such as checking for spelling and grammatical errors and who the email is sent from – is a must for all online communications.
For the technology industry now is the time to learn lessons which go beyond staying out of compliance trouble and moving towards the customer and personal data respect. While access to personal data allows you to provide better services to your customers and generate new products, it also comes with a high degree of responsibility and a duty of care to protect that information. This will mean ensuring your own systems are always being improved in step with cyber security threat developments and consistently educating your users on how to protect themselves online. To do the bare minimum leaves you open to not only security risks, but to brand and reputation damage which will be hard to recover from.