What you need to know about the

Facebook data leak

MIT TECHNOLOGY REVIEW
 

8770990475?profile=RESIZE_710x

The news: The personal data of 533 million Facebook users in more than 106 countries was found to be freely available online last weekend. The data trove, uncovered by security researcher Alon Gal, includes phone numbers, email addresses, home towns, full names, and birth dates. Initially, Facebook claimed that the data leak was previously reported in 2019 and that it had patched the vulnerability that caused it that August. But in fact, it appears that Facebook did not properly disclose the breach at the time. It only finally acknowledged it on Tuesday, April 6 in a blog post by product management director Mike Clark.

How it happened: In the blog post, Clark said that Facebook believes the data was scraped from people’s profiles by “malicious actors” using its contact importer tool, a feature that uses people’s contact lists to help them find friends on Facebook. It isn’t clear exactly when the data was scraped, but Facebook says it was “prior to September 2019.” One complicating factor is that it is very common for cybercriminals to combine different data sets and sell them off in different chunks, and Facebook has had many different data breaches over the years (most famously the Cambridge Analytica scandal).

Why the timing matters: The General Data Protection Regulation came into force in European Union countries in May 2018. If this breach happened after that, Facebook could be liable for fines and enforcement action, as it failed to disclose the breach to the relevant regulators within 72 hours, as the GDPR stipulates. Ireland’s Data Protection Commission is investigating the breach. The timing is also significant in the US because Facebook signed a deal two years ago which gave it immunity from Federal Trade Commission fines for breaches before June 2019, so if the data was stolen after that, it could face action in the US, too.

How to check if you’ve been affected: Although passwords were not leaked, scammers could still use the information for spam emails or robocalls. If you want to see if you’re at risk, go to haveibeenpwned.com and check if your email address or phone number has been breached. 

 

 

Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!