On September 25, Facebook discovered that 50 million user accounts had been compromised as a result of a vulnerability that resulted in access tokens (what’s used to keep you signed into Facebook on all your devices) being illegally accessed. During Facebook’s investigation, another 40 million users had the potential to be compromised, bringing the total to nearly 100 million users affected. It’s a security breach that’s on par with Equifax–not necessarily in terms of the number of people affected (although it’s quite close) –but in the sheer volume of personal data collected by a single agency. And with the Cambridge Analytica scandal earlier this spring, this most recent blemish means the company is being scrutinized even more by regulators and lawmakers alike.
To help remedy the situation, Facebook logged out 90 million accounts to reset the access tokens on September 28. That would explain why you may have had to re-sign into your account. But was there more that the company could have done?
Maybe yes, maybe no. The security vulnerability here seems to be several flaws mixed together involving its “view as” profile feature and video uploader tool. FB patched the vulnerability and is working with the FBI to determine the source of the attack. But due to the complex nature of the bugs that were exploited, the company and analysts believe the attackers had to be fairly sophisticated, and according to one security researcher, they may never be found.
Interestingly, this breach will be the first major test for the new European data protection regulations, or GDPR. According to news sources, Facebook could face a fine of up to $1.63 billion for the breach. Facebook has said it is working with the Irish Data Protection Commission to determine the scope of the breach for EU users.
First off, if it wasn’t already obvious, cybersecurity requires constant vigilance and is definitely an arms race. These days, it’s a matter of when you are breached, not if.
With that being said, what’s your plan after a security breach? How will you alert your users, staff and board of directors? If you are required to be compliant with GDPR, you know that you must notify users within 72 hours of a data breach. What’s your action plan for doing so?
In other words, what can you learn from Facebook so that you don’t become the next organization under the microscope?
Looking for the highest standards of security and privacy yourself? Online Tech can provide you with secure, compliant infrastructure and help ensure your applications inside our infrastructure are also secure. Contact us to learn more.