Facebook is once again paying the price for giving third-party developers unfettered access to user data, following a data leak in which millions of user records were found freely available on an Amazon Web Service server.
Yesterday evening cybersecurity firm UpGuard revealed how Mexico City-based platform Cultura Colectiva, a third-party app that posts stories about celebrities and culture, left 540 million records containing Facebook names, comments, reactions and account IDs available for anyone to access or download.
The database was secured shortly after Facebook and Amazon – which is the largest cloud provider in the world – became aware of the data leak.
In another breach by a Facebook third party, a now-defunct app called At the Pool listed the names, passwords and email addresses of 22,000 people on an AWS server without protection.
The danger is that, because many people reuse passwords across multiple platforms, the exposed passwords in this breach could be used by hackers to gain access to other services.
Kevin Gosschalk, CEO of fraud prevention firm Arkose Labs, said it’s “almost certain” that the exposed personal identifiable information is already available on the dark web “for use in future cyberattacks”.
And while the type of data exposed in the Cultura Colectiva leak is not as sensitive as financial or passport information, they are valuable breadcrumbs for cybercriminals. According to Cindy Provin, CEO of cybersecurity firm nCipher Security, they can “easily piece together the information and use it as bait for phishing attacks and identity theft to cash in on even more sensitive information”.
In a statement, Facebook said its policies “prohibit storing Facebook information in a public database” and that it is “committed to working with the developers on our platform to protect people’s data”.
Skeletons from the API closet
It is not the first time skeleton’s from Facebook’s past have come back to haunt it. Many of its current problems (and there are many) can be traced back to its former mantra of “move fast and break things”, which drove rapid growth and innovation on the social media platform.
Part of that involved enticing third-party developers onto Facebook by giving them unrestricted access to Facebook user data.
This fast and loose approach to user data exploded onto the public’s radar just over a year ago, after it was revealed that their own data was being used to create targeted political advert campaigns in the Cambridge Analytica scandal.
“Cambridge Analytica was the most high profile case that led to some significant changes in how Facebook interacts with third-party developers, but I suspect there are many troves of Facebook data sitting around where they shouldn’t be, including this one,” says Paul Bischoff, privacy advocate with security and privacy comparison site Comparitech.com.
Once again with the latest Facebook data leak, it is regulators that are attempting to glue together the broken pieces, while Facebook users continue be hit by the shrapnel.
And with the implementation of the General Data Protection Regulation (GDPR) in 2018 threatening tougher financial penalties for data abuses in Europe, as well as a toughening stance from regulators globally, it is perhaps unavoidable that more third-party data leaks will come back to haunt the tech giant.
This time, Facebook might end up paying for some of the things it has broken.
Who is liable for the Facebook data leak and what happens next?
Under GDPR, the responsibility for protecting data lies primarily with the individual or organisation that is in control, or the ‘controller’ of the data, says Robert Wassall, a leading data protection lawyer and head of legal services at cybersecurity firm ThinkMarble.
“In this instance it’s difficult to be sure who that is,” he tells Verdict. “If Cultura Colectiva were storing the data on behalf of a third party, then that would suggest that they are a ‘processor’. If Cultura Colectiva were not doing something with it for a third party, then they are the ‘controller’.
However, because Cultura Colectiva is not in the EU, GDPR would only apply if data of European citizens was leaked.
Given that the platform’s target audience is Latin Americans, it is less likely that EU citizen’s data will be compromised.
“Otherwise, from a legal perspective, any enforcement action would have to come from the US or Mexico, if their respective data protection laws have been breached,” says Wassall.
He adds that if GDPR does apply, and Facebook is deemed legally responsible, “it is possible that the Irish data protection regulator, The Data Protection Commission, could consider taking action”.
Firms found to have breached GDPR face a maximum fine of €20m or 4% of global annual turnover.
“In this case, Facebook partnered with various organisations and transferred user data from Facebook users to those third parties,” says Tim Mackey, senior technical evangelist at Synopsys.
“While it ultimately falls to everyone who touches or stores sensitive data to protect that data, if your organisation is the source of the data you have a duty to your users to protect their information as it’s shared.
“This is a key principle of regulations like GDPR which seek to protect user data as it might be processed between organisations and ensure that appropriate safeguards are in place.”
Facebook data leak, a spanner in the works for Zuck
The latest Facebook data leak will throw yet another spanner in the works of Facebook chief executive Mark Zuckerberg’s recent promise of a ‘privacy-focused‘ social media platform.
Sam Curry, chief security officer at Cybereason, asks whether ‘Facebook privacy’ is “an oxymoron or the gift that keeps on giving?”
Tackling it requires a major shakeup of its personnel, he says, creating a senior post to “own privacy, staff it and back it. If someone exists, doing it now either up-levels them or fire-and-replace them,” with regular checks carried about by independent advisors.
Despite the tech giant’s numerous attempts to deflect bad publicity, the problem is – and will continue to be – Facebook’s, says Cambridge Analytica whistle-blower Christopher Wylie.
“As consumers we’re not told if you don’t want to get electrocuted, don’t use electricity,” said the data scientist, speaking yesterday at the IP Expo conference in Manchester.
“There are regulations in place and accountability lies with the provider, not the user. Why isn’t that the same with technology?”