Facebook disclosed major hack swiftly, but details lacking
IT TOOK just three days for Facebook to notify authorities and the public that hackers had compromised as many as 50 million user accounts on the social media platform.
That’s an incredibly swift response. The flip side: Facebook leaders did not have enough information to paint a clear picture of the hack and the risk to its users during the announcement.
They didn’t offer details about who the attackers were, or what motivated them. Nor could they say where the affected users were located or how many users of Facebook-linked third-party applications were affected. “We’re very early in the investigation.
Our next priorities are understanding the full scope of impact,” Facebook head of cybersecurity policy Nathaniel Gleicher said in a call with reporters.
The scarce information highlights a difficult trade- off companies must now consider as they face pressure from policymakers here and in Europe to disclose significant data breaches sooner. Europe’s new privacy law, the General Data Protection Regulation, imposes massive fines on companies if they don’t notify privacy regulators about a data breach within 72 hours.
The rule took effect in May and applies to any company with EU customers. US lawmakers have proposed similar a 72-hour rule to replace the patchwork of state data breach laws that exist here. By getting the word out early, companies alert users that their information may have fallen into bad hands. But they risk creating confusion by disclosing the breaches before key details are available.
Facebook’s former chief security officer, Alex Stamos, raised the issue in a pair of tweets this week: “You can do incident response quickly or correctly, but not both,” he wrote.