Facebook can’t say how many users affected by security lapse
A DATA protection watchdog has criticised Facebook for failing to provide adequate information about a security breach that has compromised the personal details of millions of people.
The Irish Data Protection Commissioner (DPC), the regulator responsible for overseeing the company’s European data compliance, said it was “still awaiting” further information and clarification about the attack.
It is understood that Facebook still has not established how many people have been affected by the security breach in the UK. Meanwhile, the company’s analysts are also trying to see whether the hackers were trying to target people from one specific country.
The UK is one of the largest markets for Facebook – it is estimated that there are more than 32 million regular users in Britain. That could mean that up to 700,000 people in the UK have been affected, although Facebook sources insist that any attempt to say how many were affected would be speculation.
Facebook admitted on Friday that it had fallen prey to the biggest attack yet to hit a social networking company.
It emerged that 50 million users have become potential victims of identity fraud, as the US firm revealed that an additional 40 million people could have been exposed to similar attacks.
The security breach, which exploited a data flaw going back to July 2017, was discovered when Facebook employees noticed a large spike in traffic on Sept 16, possibly representing a single attack by one or more hackers.
In a statement the DPC, which is based in Ireland where Facebook has its EU headquarters, said the company contacted them last week about the breach. “The notification lacks detail and the DPC is concerned that this breach was discovered on Tuesday and affects millions of user accounts, but Facebook is unable to clarify the nature of the breach and the risk for users at this point,” it said. “The DPC continues to press Facebook to clarify these matters further as a matter of urgency.”
Facebook is now facing questions about why it had taken almost two weeks to shut the security hole. If EU regulators decide Facebook was negligent with people’s personal data it
‘We need proper regulators to have oversight of how Facebook is holding data and whether it is safe’
could be the first company hit by stringent new fines of €20million (£17.8million) or 4pc of its global revenue.
Damian Collins, chair of the Digital Culture Media and Sport Committee said: “We need the proper regulators to have oversight of how Facebook is holding data and whether they are doing all they should to keep it safe.”
The UK’s National Cyber Security Centre, the GCHQ department responsible for cyber defence, is collaborating with the FBI after Facebook called them in to conduct an investigation.
Users reported problems logging into apps such as Instagram, Hootsuite and music app Spotify since Friday. Facebook owned messaging service WhatsApp was not affected. Facebook declined to comment.
How bad is the latest Facebook data breach? Well, hackers had full access to at least 50 million and possibly as many as 90 million Facebook accounts; they might or might not have downloaded every single piece of information from those accounts using automated tools; and they might not have been the only people to exploit the vulnerability during the 14 months it has probably existed.
Perhaps we should be reassured that the attackers did not steal any passwords, nor any payment details. All they had access to was what Facebook users had chosen to put on Facebook: their friends, their messages, their comments and photos.
In which case, surely one possible defence against such attacks could be to do what many people are already doing for their own reasons: not to delete Facebook but to withdraw from it, to never give it your real self. Or, better yet, to give it an elaborate fictional self – a lion-tamer, maybe, who secretly works for MI5 and models for Gucci on the side, who likes pages such as “Paragliding Away From Danger” and “Bulletproof Evening Gowns”.
That would certainly follow the logic of Facebook’s claims about itself. When Mark Zuckerberg, its chief executive, testified before the US Congress earlier this year, he repeatedly said that Facebook users were in control of their data and could edit or delete it at any time. This is true: over the last decade Facebook has vastly improved its privacy controls to the point where users really do have a lot of power over who advertises to them through its platform and how. So just don’t upload anything you wouldn’t want Russian spies to know.
But that wouldn’t quite be enough, because Mr Zuckerberg was very careful in what he told Congress. He only said that “you control and own the data that you put on Facebook”; he didn’t mention the data others put on Facebook in your name. A recent study found that advertisers could target you on Facebook using phone numbers and email addresses that you never gave it and cannot ask it to delete. These are harvested from your friends and acquaintances who did agree to share their address books. Behind the scenes, Facebook can connect those details with your profile using what it already knows, and allegedly it does this even for people who do not yet have an account, so that it has a head start when they do.
Fine: just make sure you never sign up to any social network with an email address any other human being knows. Except that this, again, might not be enough. Facebook may be able to connect different datasets together using other tools: your name, your particular place in a network of friends, or your pattern of activity. You can be identified through a unique code that your mobile phone operating system generates, and your phone itself has a unique ID too.
Nor are social networks the only bodies collecting data on you. Data brokers buy up information from public registries, supermarket reward schemes and even invisible “tracking pixels” which tell marketers whether and where you have opened an email. Then they aggregate it into detailed profiles such as “successful single parent” and “rural and barely making it”, then sell it on to others. And that’s if everyone follows the rules.
The measures you would need to take in order to gain “complete control” of all this data might not be that hard, on their own. But you would have to be uncompromising. No checking your map on your smartphone because you’re late for a dinner party, since this would involve switching on “location services”. No discounts for being a member of something online. Certainly no social media apps on your phone. Maybe it’s better if you didn’t carry one.
Start thinking this way and you soon feel a bit mad. Probably you are. Doing all of this would entail wilfully opting out of all the benefits of data-driven services, which not only make ordinary tasks easier but allow whole new tasks that were not previously possible.
Most people aren’t willing to make that compromise – I’m certainly not. It might not even be worth it: you already walk down the street despite the risk of mugging, so why not use social media despite the risk of comprehensive identity theft?
The problem is, if you are worried, then you will not find a solution in data abstinence. As long as collecting and aggregating large amounts of data in one place remains a viable business model, there will be many tempting targets for digital burglars. This is a problem that can only be mitigated at the level of institutions and regulations. Or perhaps – given that this hack was enabled by a feature Facebook introduced to help people guard their privacy – not even then.
‘Maybe it’s better if you didn’t carry a mobile phone. Start thinking this way and you soon feel a bit mad. Probably you are’