In September 2018, almost 50 million Facebook users were left exposed by a security breach. A year later, what has changed for Facebook and lawmakers, and what lessons have been learned? Umar Ali sat down with SecurityScorecard VP of compliance Fouad Khalil to find out more.
Facebook data breach
Facebook’s string of data scandals, including the 2018 data breach, which saw over 50 million users left vulnerable after attackers exploited a security flaw, stands out as a troubling chapter in the history of the Internet.
Although Facebook said that there was no evidence accounts had been compromised, the company is no stranger to controversy surrounding data security, with incidents such as the Cambridge Analytica scandal raising concerns about how safe Facebook users’ data is and what it is being used for.
Ahead of the one-year anniversary of the breach, Verdict spoke with Fouad Khalil, VP of compliance at US-based security company SecurityScorecard, about how the online landscape has changed following the breach and what could still be done to protect data.
Umar Ali (UA): Could you give a brief overview of what happened with the data breach?
Fouad Khalil (FK): Well, there’s a lot of things that happened with the Facebook data breach, one of which is the set levels, from a privacy perspective, at Facebook were not there.
In addition, the controls that were necessary to protect personal data were not effective or implemented.
And the last, which is the most interesting aspect of it, is they knew they had a lack of controls and privacy as it relates to the handling of personal data. They, in my opinion, exercised wilful neglect and ignored the truth about their compliance and information.
UA: How has Facebook changed its policies to make sure something like this doesn’t happen again?
FK: Again, I’ll be honest with you, I have not seen anything that came across as impressive or something that was worth noting.
I sit back and I wonder, as a consumer leveraging Facebook for various reasons, “do I feel comfortable that they actually going to commit and do what they have to?”
I have not seen anything from a publication, communication or dialogue that’s highlighted that they’re doing their due diligence to make sure that this doesn’t happen again.
So overall, from a Facebook perspective, I have not seen anything.
UA: Have there been significant policy changes from lawmakers in the year since the data breach?
FK: If you look at the regulations that are growing, there’s GDPR, which was the privacy tidal wave. With or without Facebook issues, or the breach that they had, we’ve had a lot of things go through in the US as well.
The State of Technology This Week
California Privacy, which is the GDPR of America, has started taking place. Washington State has their own privacy regulations as well, they took all the definitions of personal information today and sprinkled steroids on them, making it the most detailed and specific definition.
New York State failed to enact a privacy law, but they actually succeeded issuing the SHIELD Act, which is making sure that every organisation doing business with us has control of their data. And there’s a lot more that’s coming down the pipe.
UA: Have these changes made any significant impact on computer safety and data privacy?
FK: Overall, the trend is that privacy has definitely become the norm. The interesting part is a lot of consumers, if you compare a couple years ago to now, are a lot more educated as far as what their rights are and what they can demand or ask for.
Whether it’s a regular body or standards body or US consumers or private organisers, there’s no avoiding that. So I think the trend is definitely in the right direction.
What I’ve found is that most organisations are finding out that to protect information, you need to know where it is. I’m picking up on a lot of scenarios where organisations do not have up to date data inventory to identify what that personal data is, how it’s being used, the consent levels and much more.
And in my opinion without the beating heart of any privacy programme- having an upto-date personal data inventory- organisations cannot really mature that much.
So there’s more of a race, because the regulators have organisations panicking, trying to update their compliance, and consumers are demanding more. But overall, I think we are heading in the right direction, just a matter of time before we get there.
UA: What more can companies like Facebook and legislators do to prevent this happening again?
FK: The number one thing, in my opinion, is to exercise continuous oversight, and increasing consumer compliance and assurance.
Recently the PCI Data Security Standard in the US issued a communication about its new requirements to mandate continuous security best practice.
So at this point in time, compliance doesn’t cut it. The fact that you did a security test a year ago, or you did a vulnerability scan about a month ago doesn’t matter, things have changed yesterday.
So organisations have to mature their programmes and their frameworks, to enable continuous oversight of their controls, data and content levels. Everything else is changing whether it’s on-premisis or offpremisis, so ensuring constant best practices is the only way to prevent further problems,
UA: How has the data breach affected consumer trust?
FK: It’s very interesting, because Facebook even with all that happened- they were charged a fine equivalent to their quarterly revenue- hasn’t had a decrease in revenue or expansion. I’m also not seeing a decrease in technology deployment.
So that tells me consumers still leverage Facebook’s online media, it’s all business as usual. It’s a very interesting question; consumers are still expecting that everybody is protected, even though they hear the news, and they move on with their everyday practices. So I think the trust level is still high.
I’m not seeing any impacts on revenue for Facebook, I’m not seeing any class action lawsuits taking place or a push for more regulation. Consumers are worried, but it’s business as usual.
UA: Do you think that there’s a risk that these tech giants are too big to fail?
FK: I agree 100%, these companies are too large to fail and economies depend on them.
I mean, look at the smart devices- I don’t know how I survived without an iPhone but now I can’t live without it, even though every time I leverage stuff on it I’m actually risking unauthorised access to my personal information.
UA: Is there a risk that companies like Facebook, if they’re not facing a hit to their revenue, won’t be incentivised to improve privacy and compliance?
FK: I would say yes, definitely.
I don’t think just fines are the way to go with these organisations. Shining some light on the actual critical gaps in their environment with regards to security and privacy is what we need to focus on.
UA: What do you think are the biggest lessons we can learn from the data breach?
FK: Number one, we have to recognise the fact that we have the right to question how our data is being used, and we have the right to demand for information to be controlled.
We also have the right to expect more out of regulators, to make sure they’re not just issuing guidance and laws, they have to be proactive and on par with what they’re issuing as regulations. We need to make sure that organisations and governments are following suit.
On the same token, you can’t take for granted that somebody is doing the right thing, we need to verify. So next time somebody claims that they develop an application to help protect my data, and they’re actually including privacy controls in place, I need to make sure that actually happens.
UA: If you could give one message to these institutions, or to lawmakers, what would you say?
FK: I would tell organisations to treat consumer information like you treat your own.
One example I always use is my kids; it’s not just when they’re home that I’m responsible for them, I’m responsible for them anywhere they are, whether they’re at school or at a friend’s house or at the mall.
So it’s always making sure that you are keeping an eye on that data.