In September 2018, almost 50 million Facebook users were left exposed by a security breach. A year later, what has changed for  Facebook and lawmakers, and what lessons have been learned? Umar Ali sat down with SecurityScorecard VP of compliance Fouad Khalil to find out more.

Facebook data breach

Facebook’s string of data scandals, including the 2018  data breach, which saw over 50 million users left vulnerable after attackers exploited a security flaw, stands out as a troubling chapter in the history of the Internet.

Although Facebook said that there was no evidence accounts had been compromised, the company is no stranger to controversy surrounding data security, with incidents such as the Cambridge Analytica scandal raising concerns about how safe Facebook users’ data is and what it is being used for.

Ahead of the one-year anniversary of the breach, Verdict spoke with Fouad Khalil, VP of compliance at US-based security company SecurityScorecard, about how the online landscape has changed following the breach and what could still be done to protect data.

Umar Ali (UA): Could you give a brief overview of what happened with the data breach?

Fouad Khalil (FK): Well, there’s a lot of things that happened with the Facebook data breach, one of which is the set levels, from a privacy perspective, at Facebook were not there.

In addition, the controls that were necessary to protect personal data were not effective or implemented.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

And the last, which is the most interesting aspect of it, is they knew they had a lack of controls and privacy as it relates to the handling of personal data. They, in my opinion, exercised wilful neglect and ignored the truth about their compliance and information.

UA: How has Facebook changed its policies to make sure something like this doesn’t happen again?

FK: Again, I’ll be honest with you, I have not seen anything that came across as impressive or something that was worth noting.

I sit back and I wonder, as a consumer leveraging Facebook for various reasons, “do I feel comfortable that they actually going to commit and do what they have to?”

I have not seen anything from a publication, communication or dialogue that’s highlighted that they’re doing their due diligence to make sure that this doesn’t happen again.

So overall, from a Facebook perspective, I have not seen anything.

UA: Have there been significant policy changes from lawmakers in the year since the data breach?

FK: If you look at the regulations that are growing, there’s GDPR, which was the privacy tidal wave. With or without Facebook issues, or the breach that they had, we’ve had a lot of things go through in the US as well.

California Privacy, which is the GDPR of America, has started taking place. Washington State has their own privacy regulations as well, they took all the definitions of personal information today and sprinkled steroids on them, making it the most detailed and specific definition.

New York State failed to enact a privacy law, but they actually succeeded issuing the SHIELD Act, which is making sure that every organisation doing business with us has control of their data. And there’s a lot more that’s coming down the pipe.

UA: Have these changes made any significant impact on computer safety and data privacy?

FK: Overall, the trend is that privacy has definitely become the norm. The interesting part is a lot of consumers, if you compare a couple years ago to now, are a lot more educated as far as what their rights are and what they can demand or ask for.

Whether it’s a regular body or standards body or US consumers or private organisers, there’s no avoiding that. So I think the trend is definitely in the right direction.

What I’ve found is that most organisations are finding out that to protect information, you need to know where it is. I’m picking up on a lot of scenarios where organisations do not have up to date data inventory to identify what that personal data is, how it’s being used, the consent levels and much more.

And in my opinion without the beating heart of any privacy programme- having an upto-date personal data inventory- organisations cannot really mature that much.

So there’s more of a race, because the regulators have organisations panicking, trying to update their compliance, and consumers are demanding more. But overall, I think we are heading in the right direction, just a matter of time before we get there.

UA: What more can companies like Facebook and legislators do to prevent this happening again?

FK: The number one thing, in my opinion, is to exercise continuous oversight, and increasing consumer compliance and assurance.

Recently the PCI Data Security Standard in the US issued a communication about its new requirements to mandate continuous security best practice.

So at this point in time, compliance doesn’t cut it. The fact that you did a security test a year ago, or you did a vulnerability scan about a month ago doesn’t matter, things have changed yesterday.

So organisations have to mature their programmes and their frameworks, to enable continuous oversight of their controls, data and content levels. Everything else is changing whether it’s on-premisis or offpremisis, so ensuring constant best practices is the only way to prevent further problems,

UA: How has the data breach affected consumer trust?

FK: It’s very interesting, because Facebook even with all that happened- they were charged a fine equivalent to their quarterly revenue- hasn’t had a decrease in revenue or expansion. I’m also not seeing a decrease in technology deployment.

So that tells me consumers still leverage Facebook’s online media, it’s all business as usual. It’s a very interesting question; consumers are still expecting that everybody is protected, even though they hear the news, and they move on with their everyday practices. So I think the trust level is still high.

I’m not seeing any impacts on revenue for Facebook, I’m not seeing any class action lawsuits taking place or a push for more regulation. Consumers are worried, but it’s business as usual.

UA: Do you think that there’s a risk that these tech giants are too big to fail?

FK: I agree 100%, these companies are too large to fail and economies depend on them.

I mean, look at the smart devices- I don’t know how I survived without an iPhone but now I can’t live without it, even though every time I leverage stuff on it I’m actually risking unauthorised access to my personal information.

UA: Is there a risk that companies like Facebook, if they’re not facing a hit to their revenue, won’t be incentivised to improve privacy and compliance?

FK: I would say yes, definitely.

I don’t think just fines are the way to go with these organisations. Shining some light on the actual critical gaps in their environment with regards to security and privacy is what we need to focus on.

UA: What do you think are the biggest lessons we can learn from the data breach?

FK: Number one, we have to recognise the fact that we have the right to question how our data is being used, and we have the right to demand for information to be controlled.

We also have the right to expect more out of regulators, to make sure they’re not just issuing guidance and laws, they have to be proactive and on par with what they’re issuing as regulations. We need to make sure that organisations and governments are following suit.

On the same token, you can’t take for granted that somebody is doing the right thing, we need to verify. So next time somebody claims that they develop an application to help protect my data, and they’re actually including privacy controls in place, I need to make sure that actually happens.

UA: If you could give  one message to these institutions, or to lawmakers, what would you say?

FK: I would tell organisations to treat consumer information like you treat your own.

One example I always use is my kids; it’s not just when they’re home that I’m responsible for them, I’m responsible for them anywhere they are, whether they’re at school or at a friend’s house or at the mall.

So it’s always making sure that you are keeping an eye on that data.

Read More: Exposed Facebook phone numbers risk SIM jacking and robocalls.

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up