Company accused of data breach ‘fabrication’
OTTAWA • Executives from a Canadian firm linked to a highly-publicized Facebook data breach have been lying to MPs about the nature of their work, an American cyber security analyst told a House of Commons committee investigating the breach on Thursday.
Aggregate IQ — a British Columbia company that develops software for political campaigns, among other services — was implicated in the illegal use of millions of Facebook profiles earlier this year. Whistleblower Christopher Wylie alleges that the company is directly affiliated with Cambridge Analytica, which purchased the data from a researcher for use in highly controversial campaigns in both the U.K. and the U.S.
Following Wylie’s allegations, both the B.C. and federal privacy commissioners began investigations of AggregateIQ. At a hearing in Ottawa in April, the company claimed they have no connection to Cambridge Analytica and do not engage in data harvesting.
But Chris Vickery, a researcher at UpGuard Security, says he has discovered information on an unsecured server belonging to Aggregate IQ that suggests those claims are a “complete fabrication.”
“They are definitely data harvesters,” said Vickery. “It’s a lie to say they have not harvested data.”
Vickery, who watched a livestream of AggregateIQ’s testimony, accused the company of dancing around questions — and using “weasel words” to avoid giving fulsome answers. “Word game, weasel words, whatever. It’s a lie,” said Vickery.
It’s the second time in just over a week that AggregateIQ’s chief executive officer Zack Massingham and chief operating officer Jeff Silvester have been called liars at committee hearings.
Wylie appeared by videoconference last week and said the company “completely disregarded the concept of truth” in its business dealings. If the company’s denials were correct, Wylie added, AggregateIQ would be offering only services an untrained intern could do. He said he found their testimony “farcical.”
On Thursday, Vickery also said he discovered content deep in the code on AggregateIQ’s server that suggests the company may have been aware that the personal data they were harvesting was in violation of U.K. privacy laws.
AggregateIQ has already testified before a parliamentary committee in the U.K. about the alleged breach of campaign spending limits while working for the Leave campaign during the 2016 Brexit referendum.
Vickery urged the House of Commons committee to treat its current investigation of AggregateIQ like the criminal pursuit of a “mob family,” where damaging testimony regarding low-level crimes is sometimes used as a bargaining chip to obtain information on bigger crimes.
The committee expects the executives from AggregateIQ to testify again on Tuesday.