Another potential breach of Facebook data under scrutiny
A U.S. digital security researcher told a House of Commons committee Tuesday morning that he is investigating another possible Facebook-related data breach that could affect 48 million people, entirely separate from the ongoing Cambridge Analytica scandal.
Chris Vickery testified via video link from California to the parliamentary committee on access to information, ethics and privacy in relation to his research on data security, and specific work he’s done looking at AggregateIQ, the Canadian company linked to the Cambridge Analytica data breach.
The committee is looking into Facebook’s Cambridge Analytica scandal, and its fallout within Canada. It is expected to continue on Thursday, when Facebook Canada’s head of public policy, Kevin Chan, is scheduled to testify.
Vickery is the director of cyber risk research for UpGuard, an American digital security firm, and he describes himself as a “data breach hunter.”
He told MPs that he’s aware of a different privacy breach that’s “not reported at all yet.”
“That is not involved with Cambridge Analytica at all, as far as I know,” Vickery said. “The number is 48 million people on that one, and it does involve messages.”
For most of the last month, Facebook has been doing damage control after revelations from Canadian whistleblower Christopher Wylie shed light on Cambridge Analytica, a firm that allegedly scraped the data of 87 million Facebook users and then attempted to psychologically profile those people in order to help influence the U.S. 2016 presidential election in favour of Donald Trump.
In an emailed statement, Facebook did not respond to the specifics of Vickery’s testimony, but noted that the social network is in the process of auditing all the apps that had access to large quantities of user data through Facebook’s application interface, and they expect there’ll be more revelations to come as those audits unfold.
“If we find developers that misused personally identifiable information, we will ban them and inform anyone affected,” a Facebook spokesperson said.
Privacy Commissioner Daniel Therrien also testified Tuesday morning. Therrien’s office is investigating the Cambridge Analytica breach, which included the data of 622,161 Canadians’ Facebook accounts. The probe will take time to complete, but Therrien said he hopes to conclude it within a year.
Therrien told MPs that he believes Parliament urgently needs to enact stricter privacy regulation in Canada, and he said that the European Union General Data Protection Regulation is a good benchmark to look at.
“If there was ever a time for action, I think, frankly, this is it,” Therrien said.
Vickery said that his work as a data breach hunter focuses on finding information that organizations have accidentally left unprotected on the internet. In the case of Aggregate IQ, he said that he found an obscure portal which allowed him to create an account for the company ’s collaboration system, which gave him the ability to download company credentials, passwords, employee notes and more.
“Keep in mind that anybody in the entire world with an internet connection could have found the same thing and gotten an account the same way, downloaded the exact same things,” he said.
Vickery said companies are careless about these security holes, often leaving large quantities of private data in publicly accessible ways. He said the best way to prevent such breaches is to have government regulations with “teeth” that create a financial incentive for companies to act more carefully.
“Companies pay attention when their bottom line is going to be affected,” Vickery said in an interview following his testimony. “Make examples of the egregious violators of regulations behind data protection; make them afraid to be cavalier about it.”
Financial Post