The Facebook/Cambridge Analytica situation has almost everyone re-evaluating several important cybersecurity issues. What constitutes a data breach? How do we exert more control over third parties and their access to data? How do we approach privacy concerns that deal with weaponizing data versus financial gain? What does this mean for those of us who regularly use social media? And what are the GDPR implications?
Unconventional Data Breach
During a television interview, Minnesota senator Amy Klobuchar made it clear that she and many of her colleagues believe this was a massive data breach, and leadership of both Facebook and Cambridge Analytica need to speak before Senate committees. What made Klobuchar’s statement stand out was that, until that point, few were referring to this as a data breach. It didn’t look like a data breach as they’ve long been defined. This compromise of personal data did not involve malware or an outside hacker. Nor was it the work of a malicious insider intent on causing harm to his company. This was someone who was authorized to have access to certain pieces of data and took advantage of it. Again, Klobuchar and others compared it to someone being given your apartment key by the landlord, unlocking the door and stealing your valuables. It wasn’t a traditional break-in, but it was still theft and a breach of your privacy.
The Third-Party Threat
Cambridge Analytica is hardly the only company with access to Facebook data; nor can we be lulled into thinking that this is only a Facebook issue.
“Cambridge Analytica had/has access to the same information as anyone else using Facebook for business purposes,” said Andy Patel, cybersecurity researcher with F-Secure. “Other firms are most certainly harvesting data in a similar manner in order to more accurately target their own marketing campaigns.”
Until 2015, Facebook allowed apps to take advantage of the information they culled from users, a practice that isn’t uncommon. In fact, here’s where users have failed themselves. Apps will tell you what information they are gleaning, if you read the Terms of Service agreements. But who reads that? Quizzes are fun to take; who cares if the quizzes are searching through your pictures and your posts to come up with that “perfect” answer about you? We should have realized these apps were latching on to the data of our friends when the quiz would “reveal” which of your friends will play a role in your wedding, your robbery or your novel.
“Apps connected to Facebook have long been a threat to users’ privacy, and Cambridge Analytica is the very sort of danger that we’ve been warning people about for months,” said Paul Bischoff, privacy advocate at Comparitech.com. “Apps connected to Facebook, however, have their own settings that aren’t covered in any of the obvious places.”
This highlights the threats that third-party vendors bring. If their security and privacy standards don’t match that of your organization, you are setting yourself up for potential malicious behaviors that are out of your control. In this case, Facebook is the company facing the most wrath over the data loss—and deservedly so, to a point—but it is not the only actor involved.
“As enterprises increasingly leverage mobile and social platforms to advance customer relations and business operations, they must adopt a threat management plan to ensure user privacy and data security,” said James Robinson, VP of Third Party Risk Management at Optiv.
This plan, Robinson added, should be built on the core principle that mobile and social platforms are third parties, and include the following components:
- An outline of the threat landscape (potential attack methods and areas of risk)
- Threat modeling
- The same risk management and governance controls that would be applied to a traditional third-party business partner
- A detailed incident response strategy.
Facebook shareholders should be thankful this came to light now, and not after May 25, when General Data Protection Regulation (GDPR) takes effect. In addition to the hit the company took on the stock market, the GDPR fine would have been in the billions. And yes, Facebook would have been responsible for the leaked data, as GDPR Reports commented:
“Even if data is collected in an appropriate way, the controller of that data is responsible and accountable for how it is processed by third parties. … Central to GDPR is the concept of Privacy by Design, the principle that data privacy must be built into a product or service at its very foundation, not an after-thought.”
To organizations, the Facebook/Cambridge Analytica incident is a reminder that we need to better understand what constitutes a data breach, as well as how open you are about the way that information is used for marketing or influencing your base. We also need to do a better job at ensuring the outside vendors we work with are able to meet our privacy and security standards.
Consumers also need to step up and make sure they are checking the ToS of their social media platforms and are providing fewer permissions for the site or its outside partners. In the near future, GDPR will provide some level of protection, but it is up to all of us to take our own privacy and security into our hands when possible.