Centre asks Facebook for update on latest data breach
NEW DELHI: India’s information technology (IT) ministry has asked social networking firm Facebook Inc. to provide Indiaspecific details on the company’s latest security breach, which has compromised 50 million user accounts. “If there is a hacking, the company should report the incident on its own. Since they did not inform us, the ministry asked them for details,” a senior official of the electronics and information technology ministry said on condition of anonymity.
This was conveyed to Facebook verbally on Monday, two other ministry officials confirmed on condition of anonymity. Facebook has asked for two days to respond to the ministry’s query, they added.
A Facebook spokesperson did not respond to queries from HT.
“We are awaiting the report from Facebook. We understand they will need some time to put together the information and send it to us, so we agreed to wait for two days,” the second official said. In July, the draft Data Protection Bill submitted by the justice BN Srikrishna-led committee proposed that a data breach must be reported to a Data Protection Authority (DPA). The draft stated that the Data Protection Authority (DPA) of India would have the mandate of protecting the interests of users who it described as “data principals”, and preventing the “misuse of personal data”. It called for financial penalties and jail terms in the case of violations. The draft bill is yet to be introduced in the Parliament. To be sure, India doesn’t have a DPA right now.
“The data protection draft is not a law at present, but once it is a law, they would have to automatically report this to the Data Protection Authority. For now the IT ministry is performing this role,” the first official said.
Last week, Facebook’s chief executive officer, Mark Zuckerburg, said its engineering team discovered an attack affecting up to 50 million accounts on September 25. “The attackers exploited a vulnerability in the code of the ‘View As’ feature which is a privacy feature that lets people see what their Facebook profile would look like to another person,” he said. The firm has not shared details on whether the hacked accounts were misused or if any information was accessed.
Legal and policy experts said such data breaches need to be reported with full disclosure but cautioned against too much interference by the government.
“The first step is for Facebook is to notify DPA and users who are impacted by the breach. Since India does not have any such body in place it should make a full public disclosure on the nature of the vulnerability and how and what personal information was compromised. It should at the same time write to users informing them about it. In an election year for India, when platforms can be used for profiling and targeting for propaganda, such breaches seem incredibly problematic,” said lawyer Apar Gupta.
Meanwhile, Facebook has named Adam Mosseri, a 10-year veteran at the company, as the head of Instagram. The appointment comes after the photo-sharing app’s co-founders resigned last week without giving a clear reason.