Story image

Experts and execs comment on Facebook data leak

05 Apr 2019

Yesterday, cybersecurity company UpGuard broke the news of 540mil Facebook user records being exposed on the Internet due to misconfigured AWS servers.

The leak is another strike in a long list of Facebook’s faults as it scrambles to maintain its reputation.

Here is what cybersecurity experts and executives had to say about the data leak:

Tenable co-founder and CTO Renaud Deraison

Seems like every other week a security issue is discovered in the Facebook ecosystem.

Facebook is giving third-party app developers access to user data.

That means the company’s massive trove of data is in the hands of potentially thousands of third parties all over the world.

App developers are focused mainly on bringing new offerings to market quickly - it’s what consumers have come to expect.

It looks like Facebook doesn’t have enforced guidelines when it comes to how its partners handle cybersecurity.

Ping Identity Asia Pacific chief technology officer Mark Perry

The latest reports of user passwords exposed in plaintext on public servers by Facebook is lamentable, but all too common event in the technology industry.

Tech companies are the custodians of user credentials and other personally identifiable information, a valuable resource in today's world.

Ping Identity's message to tech companies is simple: encrypt user data at rest and in transit; use up to date, off-the-shelf password hashing algorithms; don't write your own security code; monitor attack vectors like APIs using modern, threat-aware solutions; and control access to your services and applications using multi-factor authentication and fine-grained access control for everyone that touches them: end users, developers and system administrators.

CQR Consulting chief technology officer and co-founder Phil Kernick

The most recent breach of Facebook data only underscores the reality of the business models of social media platforms – the users are not the customers, they are the product.  

Your data is collected, filtered, aggregated and then sold to any business that agrees to comply with Facebook’s policy of not storing it unprotected. 

Whether these third parties actually comply is a contractual matter with Facebook and the user’s whose data is compromised have no say in the matter. 

While Facebook has recently made announcements that they will take a privacy-first approach to user data, this seems to be more a response to avoiding Government oversight than genuine care for their users. 

They’ve made these promises before. 

They’ve broken these promises before. 

Aura Information Security general manager Peter Bailey

As far as data privacy and security goes, Facebook is having a particularly bad run and the company is fast becoming the poster child for what not to do. 

First the Cambridge Analytica saga, then the security flaw that allowed hackers to access 50 million Facebook accounts… and now this.  

It’s becoming increasingly apparent that Facebook simply isn’t taking their duty of care in regards to the privacy of the data of its users seriously enough. 

Social media platforms like Facebook are about trust, if users don’t feel they can use them safely, we’re going to see more people leave the platform.

WatchGuard Technologies A/NZ regional director Mark Sinclair

Organisations need to be very careful when sharing sensitive data with other third-party organisations. 

Third parties are often a much easier target and, once compromised, can also act as a launching pad for a cyber-attack on the original organisation.  

Any organisation that shares data should be reviewing their API's to ensure controls are in place to limit sensitive data and regular audits be done on the third parties to ensure compliance to privacy regulations and IT security standards.

Digital Guardian cloud services security architect Naaman Hart

In the age of GDPR companies must realise that when they collect data they are responsible for it, regardless of whether they share it onwards or keep it themselves. 

It will be interesting to see whether litigation springs from this as I expect it might. 

In that case, the financial and reputational damage to Facebook might prompt them to ensure the companies they do business with are held to their own security standards.