While 2020 was a bad year for us all, 2019 was a terrible year for Facebook, as it paid a $5 billion fine for a data breach. While we may not run a company as rich as this one, we can all learn from the mistakes made, even if you’re a one-woman-band running a business from home!
In the midst of allegations over issues that include interference in elections, the spread of misinformation and hate speech, Facebook suffered a big blow in its security.
Back on Tuesday, 24th September 2018 Facebook engineers discovered a hacking in its system that was said to have potentially affected 50 million of its users. This caused an alarm that led the Irish Data Protection Commission to open an official investigation in the matter.
When data breaches happen, not only do you face monetary loses due to fines, but you have to investigate the vulnerability and rectify it. You will also need to spend considerable money on rebuilding your reputation. A dashboard where you analyze ROI at one place can help you see the true extent of the damage.
So, let’s take a look at the Facebook data breach and the things we can learn.
How it happened
According to Fox Business, the hacker stole Facebook’s access tokens through its ‘view as’ features. The attacker could then access the user’s accounts using these tokens. These access tokens allow users to stay logged into Facebook over many browsing sites without having to use their passwords now and then. The hacker used three bugs that had been introduced to this feature in July of the former year.
Facebook is not sure when the attack started, but they assured that thorough internal investigation was going on to check the extent of the attack. Facebook also said that about 40million of its users who had used the affected features to log in would have to log out to help control the situation. This was to make sure that no more damages were caused in the midst of the investigation. It is however not clear if the attack was targeted on specific accounts.
What this means
Facebook showed how the hackers were able to steal automated log-in credentials which are also known as tokens. These tokens allow one to log in to other popular sites such as Instagram and Spotify. With this in mind, the attack may have affected not only Facebook accounts but also other third-party applications and websites.
These Single Sign-On systems (SSO), similar to what Facebook used, has ushered an era of tightly connected Internet. One can now avoid the pain of creating and managing different accounts across different sites and use one to control all. As much as it is convenient and comfortable, this kind of practice may be one that can quickly open one to security bleach quite easily. A paper on the risks of Single Sign-On systems has been drafted that clearly shows what security pitfalls come with these systems. The contributors to this paper include Mohammad Ghasemisharif, Chris Kanich, Amrutha Ramesh, Stephen Checkoway, and Jason Polakis of the University of Illinois at Chicago.
Where the General Data Protection Regulation comes in
General Data Protection Regulations (GDPR) were implemented in May last year, and since then they have attracted a lot of interest from both media and the industry. The Facebook case, for instance, was a chance for them to prove their effectiveness. Though there were opinions that say that Facebook was going to have a smooth slide, the opposite proved to be true.
With the announcement that the Irish Data Regulatory Commission was going to look into the matter, the Spanish Regulatory body also announced that they would comply with the investigation to protect their citizens as well. There are several measures you can use to protect yourself. VPNs come in handy when you want to protect your personal data from online fraudsters or hackers, as well as network segregation and two-factor authentification.
The investigation was to check if Facebook met with its obligation under the GDPR to ensure that suitable organizational and technical measures are established to ensure the security and safeguarding if it’s user’s data. This GDPR is a European Law that enhances the privacy protection of individuals and companies that do not adhere to this are at risk of heavy penalties. GDPR requires that organizations and companies report a breach in 72hours and give detailed reports on the same.
Earlier in April, Facebook outlined a set of new privacy settings to bring it in line with GDPR. According to The Register Facebook was silently shifting 1.5billion users from Europe to the US while claiming it still wants to offer high security for its users. However, on its 1st October update, it is clear that Facebook was working with the Ireland Regulatory Commission to share the preliminary date on the hacking issue. The Ireland Data Regulatory Commission confirmed this by a Twitter post on 3rd October, saying that they had started their investigations on the same.
Measures taken by Facebook
Following this ordeal, Facebook disabled the features affected by these bugs. It then changed the features of 90million users and logged them out. When the users log back in, a new token is generated. It has however been advised by experts that this may not be a long-term solution for the user given the risks that still come with the use of SSO systems as indicated earlier. Facebook, however, has assured that they are doing everything they can to control the situation and to keep their user’s safe.
To conclude, the Facebook incident can be a lesson to us all that we need to take data security seriously. If you do a bit of reading about this matter, you will see that the statistics certainly do not make pretty reading. You need to do everything in your power to make sure that your company is protected. This will involve a layered approach to security. After all, there is not one singular method that can make sure you are protected from all possible attacks.