Facebook Personal Data Breach, the aftermath

On september 28 2018, Facebook published a statement saying a security breach had taken place earlier that week, having brought the personal data of 50 million users in jeopardy. The personal data breach has been reported to the Irish information supervisory authority, but does this mean the story is over?

What happened

The leak reported by Facebook on Friday September 28 was caused by a combination of three bugs. With the “view as” functionality it was unintentionally possible to post a video. In the video-post functionality itself, an error snug into a July 2017 update in which the generation of an access token did not work as intended. In a certain usage situation, this error resulted in the acces token of the wrong person being exposed, allowing this person’s full profile to be accessed. For the technical analysis of the leak we refer to Facebook’s original update. This breach caused personal data on 50 million accounts to be accessed by ill-willing individuals.

The so-called access tokens are used for services where one can sign in with their Facebook account such as facebook.com, Instagram, and Spotify. The secret tokens are used to recognize whether a user has already signed in and does not need to provide their password anymore. If someone has your access-token, they can pretend to be you revisiting the service and will not be asked for your password. Whether other services than facebook.com are accessed with the tokens is unknown as of now. This news could have come at a better time for Facebook. After the 2016 US election influencing, Cambridge Analytica, and Chief Security Officer Alex Stamos leaving without replacement, Facebook has lost quite some information security credibility.

Personal Data Breaches under the GDPR

The new European privacy regulation GDPR has been in force since May 25 2018, and aims among others to protect personal data. Part of this is the obligation to practice sound information security and adequately deal with data leaks. The GDPR defines personal data breaches as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed“, which is exactly what happened to Facebook.

In articles 33 and 34, the GDPR outlines all mandatory actions for organizations to take in case of a data breach. Article 33 describes when and how to notify the correct EU supervisory authority (Irish for Facebook) and article 34 focuses on the notification of data subjects.

Facebook had to report the following to their supervisory authority within 72 hours:

• The nature of the personal data breach and, if possible, the categories and estimated number of data subjects and personal data records involved
• The name and contact details of the Data Protection Officer or other capable contact person
• The likely consequences of the data breach
• The measures taken or proposed to be taken to address the data breach

Taken actions

On September 16th, Facebook noticed an unusual spike in users which raised enough concern to launch an investigation. On September 25th, the vulnerability was found and Facebook discovered their security had been breached. They notified the FBI, and within 72 hours their lead supervisory authority DPC in Ireland as well. The latter was apparently not completely satisfied with the information Facebook provided. Facebook would know too little about the possible cause and size of the impact. The DPC refrains from any further comments until Facebook has answered all questions asked.

On Friday Septermber 25th, Facebook held two press calls. VP of Product Management Guy Rosen, Head of Cybersecurity Policy Nathaniel Gleicher, and CEO Mark Zuckerberg answered press questions. During these calls, not much new information was released. Facebook had not fully determined the scope and origin of the attack, or was unwilling to share this with the press.

In reaction to the discovered breach, Facebook first disabled the “view as” feature to prevent any new data from being stolen and notified the FBI. They reset the access tokens of the 50 million accounts that were known to be compromised, and 40 million more that have been at risk. The users of these accounts need to log back in to receive a new access token, and are informed by means of a message in the app. The “view as” feature will remain turned off until Facebook has completed a full technical review.

What is next?

Even if Facebook truthfully answers all DPC questions, they are not completely off the hook. The GDPR does not consider data breaches illegal, but handling one badly or not taking information security seriously is a different story. By fully cooperating with the DPC, Facebook will escape a 700 million dollar (2% of their annual revenue). The other possible fine of 1.4 billion dollars (4% of their annual revenue) might have a higher chance of sticking. By infringing on the basic principles of personal data processing, organizations risk this highest category of fines. Facebook might be charged with such negligence, since article 5.1 (f) GDPR states that personal data should be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures“. For now, it is a matter of waiting on Facebook and the DPC to finish their investigations.

Information on the DPC’s statements are from a Wall Street Journal article. 

Discussion

In the open special interest LinkedIn group Information Security NL we like to discuss the latest news on privacy and security. This article has been posted there as well, and we are curious about your take on the situation. Information Security NL is a free initiative for sharing knowledge on information security.

Image credit: timbennettcreative via Unsplash