September 5, 2019

After ongoing data usage and privacy concerns, Facebook is facing new controversy from an old issue as it appears that millions of user phone numbers are easily available online.

Just a few short weeks ago the US Federal Trade Commission hit Facebook with a $5 billion US dollar fine for improper use of personal data. The fine, equivalent to CEO Mark Zuckerberg’s net worth, will be a record one if approved by the US federal government.

Now, an apparently anonymous online server containing data without any password protection has been discovered hosting up to 419 million Facebook user records contained in a number of databases. Without adequate protection literally anyone may have been able to access the stored information.

TechCrunch reports that the databases contained the records of 133 million US Facebook users, 18 million UK users, and 50 million users from Vietnam. The information breached appears to include Facebook ID’s and corresponding user telephone numbers. TechCrunch verified the authenticity of a number of records by checking user’s phone numbers against their Facebook ID’s. The publication also used Facebook’s password reset process which reveals part of a user’s phone number, to verify further records were indeed legitimate Facebook users.

Facebook has restricted personal data access

In April 2018, after revelations, Facebook made a number of changes “to restrict data access on Facebook.” This included halting public access and ability to search Facebook using phone numbers or email addresses to derive further user information and which said facility was being abused by data scrapers. Facebook wrote at the time:

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.”

Back in 2011 Facebook disabled an API used by developers in other applications that shared user’s mobile phone and address details without express user permission.

The discovered data may have been scraped from Facebook over a year ago

The database in question today was discovered by security researcher Sanyam Jain who could not identify who owned or published the information and reported his find to TechCrunch. The web host, after being contacted by TechCrunch, has now removed the files.

A Facebook spokesperson, Jay Nancarrow, has reportedly responded to the news saying there is no evidence Facebook accounts have been compromised and that:

“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers.”

Nancarrow also stated that the data had been removed from the internet. TechCrunch believe the data “appeared to be loaded to the exposed database at the end of last month,” but agreed that doesn’t mean the data published is new.

The data then, was potentially scraped from Facebook at a time when it was easier for illicit actors to do so and before Facebook made key changes in response to concerns. However, the 419 million reported records could well have been recently uploaded and without password protection obtained by others such as marketers, or worse. The issue remains as to who obtained the data in the first place, what they have used it for, and why it was uploaded to the internet.

Increasing pressure for companies to provide better data privacy

Though Facebook is making changes to its policies and processes such a data breach adds to the pressure on the social media giant to better protect its users and their data. In addition to the very recent $5 billion fine Facebook has also reportedly agreed to greater government oversight of how it handles user data. Though the conditions of the settlement don’t appear to limit Facebook’s ability to collect and share user data with third parties.

Pressure to provide better data privacy is not just ramping up for Facebook. The implementation of GDPR has led to British Airways and the Marriott hotel chain receiving potential fines of £183 million and £99 million respectively and both for data breaches.

Both recent fines exceed the previous maximum fine of £500,000 issued by the UK Information Commissioner’s Office (ICO). That maximum fine was only ever issued once – to Facebook for its part in the Cambridge Analytica scandal where the data of 87 million of its users was shared with the company. GDPR means that the ICO can now impose fines of a value up to 4% of a company’s annual revenue. The latest mammoth fine from the US for Facebook also hints that the US, like Europe, is getting serious over data privacy.

Consumers too are far more privacy aware today than ever before. Data breaches eat away at consumer confidence in a brand, though Facebook’s user numbers are hardly plummeting, individuals expect better privacy protection.

Data hacks, breaches, and accusations of misuse, don’t just happen to big brands either, any company of any size which obtains and stores the personal data of its customers or users is at risk.

Want to know more about security awareness training? Why not sign up for a free demo and find out how we’re already helping government and public sector organisations dramatically improve employee security awareness across their supply chains.

Share this: