Story image

Zuckerberg admits “we made mistakes” in Facebook data breach

23 Mar 18

Following the bombshell that Facebook’s data of around 50 million people had been misused to “change audience behaviour”, Facebook founder Mark Zuckerberg has released a statement – in the form of a Facebook post of course.

Just to refresh your memory, Facebook was left reeling after a whistleblower came forward and revealed to major media outlets that the company he worked at, Cambridge Analytica, had used personal information stolen without authorisation to build a platform that could profile US voters in order to target them with personalised political advertisements.

The data came from Aleksandr Kogan, a professor at the University of Cambridge who constructed an app in 2015 to collect information on Facebook users AND their friends. He then shared this data with Cambridge Analytica who later used it to support Trump’s presidential campaign.

Allegedly, Facebook discovered this in 2015 and demanded that the parties involved delete the date – but they didn’t. Facebook also banned allowing app developers to gather friend data.

Now, Zuckerberg says they’ve been working hard to understand exactly what happened and to make sure it doesn’t happen again.

“We have a responsibility to protect your data, and if we can't then we don't deserve to serve you,” Zuckerberg says in the post.

“The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there's more to do, and we need to step up and do it.”

Zuckerberg says when Facebook learnt last week that Cambridge Analytica may not have deleted the data as they had certified, they immediately banned them from using any of their services.

“Cambridge Analytica claims they have already deleted the data and has agreed to a forensic audit by a firm we hired to confirm this. We're also working with regulators as they investigate what happened,” says Zuckerberg.

“This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.”

Zuckerberg says in this case Facebook already took the most important steps a few years ago, but there’s more the company needs to do.

“First, we will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity,” says Zuckerberg.

“We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps. That includes people whose data Kogan misused here as well.”

Zuckerberg says in the second step they will restrict developers’ data access even further to prevent further abuse.

“For example, we will remove developers' access to your data if you haven't used their app in 3 months. We will reduce the data you give an app when you sign in -- to only your name, profile photo, and email address,” says Zuckerberg.

“We'll require developers to not only get approval but also sign a contract in order to ask anyone for access to their posts or other private data. And we'll have more changes to share in the next few days.”

And third, Facebook will endeavour to make sure users understands which apps they’ve allowed to access their data.

“In the next month, we will show everyone a tool at the top of your News Feed with the apps you've used and an easy way to revoke those apps' permissions to your data. We already have a tool to do this in your privacy settings, and now we will put this tool at the top of your News Feed to make sure everyone sees it,” says Zuckerberg.

“Beyond the steps we had already taken in 2014, I believe these are the next steps we must take to continue to secure our platform. I started Facebook, and at the end of the day I'm responsible for what happens on our platform. I'm serious about doing what it takes to protect our community.”

Zuckerberg says while this specific issue with Cambridge Analytica should no longer happen with new apps today, that doesn't change what happened in the past.

“We will learn from this experience to secure our platform further and make our community safer for everyone going forward,” says Zuckerberg.

“I want to thank all of you who continue to believe in our mission and work to build this community together. I know it takes longer to fix all these issues than we'd like, but I promise you we'll work through this and build a better service over the long term.”

Facebook is set ‘crack down on platform abuse’ with a number of new features, including:

  • Investigate all apps that had access to large amounts of information before they changed the platform in 2014
  • Inform people that have been affected by apps that have misused their data
  • If someone hasn’t used an app within the last three months, the app’s access to their information will be turned off
  • Data that an app can request without app review will be restricted
  • Encourage people to manage the apps they use
  • Expand Facebook’s bug bounty program
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.