UPDATED 16:21 EST / APRIL 07 2021

SECURITY

Concerns emerge about Facebook’s disclosure of user data breach

New concerns have emerged about whether Facebook Inc. properly disclosed a data breach through which about 553 million of its users’ personal information ended up on hacker forums.

The breach started making headlines after Business Insider reported it over the weekend. In a Tuesday blog post responding to the Business Insider report, Facebook stated that the “methods used to obtain this data set were previously reported in 2019.” However, a story published by Wired later on Tuesday raises the possibility that users and regulators may in fact not have been properly informed about the incident in 2019.

According to Facebook, malicious actors obtained the personal information on the affected 553 million users not by breaking into its systems, but rather by scraping the data from its website. Facebook believes that the scraping was carried out using a flaw in its address book contacts import feature. The company’s engineers fixed the flaw in September 2019.

The uncertainty is about how the social giant disclosed the issue. Facebook’s claim that the “methods used to obtain this data set were previously reported in 2019” is based on a CNET story published that year about an exposed dataset containing Facebook users’ information. However, Wired reported on Tuesday that the dataset mentioned in the CNET story “seems not to be the currently circulating data set” and there are “different attributes and numbers of users impacted in each region.”

Facebook reportedly stated at one point that a Forbes story from September 2019 also shows it had disclosed the contact importer breach. However, Wired’s investigation suggests that Forbes covered a “similar yet seemingly unrelated finding in Instagram.”

In yet another twist, Facebook reportedly acknowledged today that it didn’t notify affected users about the breach. A spokesperson told Reuters that the social network currently has no plans to do so.

The details of how and when Facebook detailed the data leak are significant partly because, under the European Union’s GDPR privacy regulation, companies are required to disclose breaches in a timely manner. GDPR came into effect in 2018 and the scraping exploit used to steal the dataset at the center of the saga was fixed in September 2019. As a result, it’s possible the regulation could apply in this case.

Under GDPR, companies can face fines amounting to as much as 2% of their global annual turnover for failures to notify breaches in the required manner.  

The Irish Data Protection Commission, which oversees Facebook’s privacy practices in the EU, said on Tuesday that the leaked dataset may include a mix of user information harvested both before and after GDPR came into effect. 

“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” the watchdog said in a statement. “The newly published data set seems to comprise the original 2018 (pre GDPR) data set and combined with additional records, which may be from a later period.” 

“We’re focused on protecting people’s data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible,” Facebook said in its Tuesday blog post. “While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work.”

Photo: Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU