sb-eu logo
Story image

Experts and execs comment on Facebook data leak

05 Apr 2019

Yesterday, cybersecurity company UpGuard broke the news of 540mil Facebook user records being exposed on the Internet due to misconfigured AWS servers.

The leak is another strike in a long list of Facebook’s faults as it scrambles to maintain its reputation.

Here is what cybersecurity experts and executives had to say about the data leak:

Tenable co-founder and CTO Renaud Deraison

Seems like every other week a security issue is discovered in the Facebook ecosystem.

Facebook is giving third-party app developers access to user data.

That means the company’s massive trove of data is in the hands of potentially thousands of third parties all over the world.

App developers are focused mainly on bringing new offerings to market quickly - it’s what consumers have come to expect.

It looks like Facebook doesn’t have enforced guidelines when it comes to how its partners handle cybersecurity.

Ping Identity Asia Pacific chief technology officer Mark Perry

The latest reports of user passwords exposed in plaintext on public servers by Facebook is lamentable, but all too common event in the technology industry.

Tech companies are the custodians of user credentials and other personally identifiable information, a valuable resource in today's world.

Ping Identity's message to tech companies is simple: encrypt user data at rest and in transit; use up to date, off-the-shelf password hashing algorithms; don't write your own security code; monitor attack vectors like APIs using modern, threat-aware solutions; and control access to your services and applications using multi-factor authentication and fine-grained access control for everyone that touches them: end users, developers and system administrators.

CQR Consulting chief technology officer and co-founder Phil Kernick

The most recent breach of Facebook data only underscores the reality of the business models of social media platforms – the users are not the customers, they are the product.  

Your data is collected, filtered, aggregated and then sold to any business that agrees to comply with Facebook’s policy of not storing it unprotected. 

Whether these third parties actually comply is a contractual matter with Facebook and the user’s whose data is compromised have no say in the matter. 

While Facebook has recently made announcements that they will take a privacy-first approach to user data, this seems to be more a response to avoiding Government oversight than genuine care for their users. 

They’ve made these promises before. 

They’ve broken these promises before. 

Aura Information Security general manager Peter Bailey

As far as data privacy and security goes, Facebook is having a particularly bad run and the company is fast becoming the poster child for what not to do. 

First the Cambridge Analytica saga, then the security flaw that allowed hackers to access 50 million Facebook accounts… and now this.  

It’s becoming increasingly apparent that Facebook simply isn’t taking their duty of care in regards to the privacy of the data of its users seriously enough. 

Social media platforms like Facebook are about trust, if users don’t feel they can use them safely, we’re going to see more people leave the platform.

WatchGuard Technologies A/NZ regional director Mark Sinclair

Organisations need to be very careful when sharing sensitive data with other third-party organisations. 

Third parties are often a much easier target and, once compromised, can also act as a launching pad for a cyber-attack on the original organisation.  

Any organisation that shares data should be reviewing their API's to ensure controls are in place to limit sensitive data and regular audits be done on the third parties to ensure compliance to privacy regulations and IT security standards.

Digital Guardian cloud services security architect Naaman Hart

In the age of GDPR companies must realise that when they collect data they are responsible for it, regardless of whether they share it onwards or keep it themselves. 

It will be interesting to see whether litigation springs from this as I expect it might. 

In that case, the financial and reputational damage to Facebook might prompt them to ensure the companies they do business with are held to their own security standards. 

Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Story image
Shlayer malware proves Apple devices aren't as secure as you think
"Apple never talks about malware publicly, and loves to give the impression that its systems are secure. Unfortunately, the opposite has been proven to be the case with great regularity."More
Story image
Global DDoS attacks: What they are, how they work, and how to defend against them
Do not pay the ransom, and do make sure you've got strong DDoS protection, security firms warn.More
Story image
Just one click – that’s all it takes to let in cyber-crime
So how do organisations ensure that users are not compromised by simply doing their work?  The answer is surprisingly simple, writes Bufferzone Security business strategist for A/NZ Greg Wyman.More
Story image
APAC organisations struggle to find balance between digital adoption and cybersecurity
Organisations in the Asia Pacific (APAC) region are significantly concerned about security threats, but nevertheless are looking to advance operations through digital adoption.More
Story image
ConnectWise launches bug bounty program to bolster cybersecurity strategy
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community's expertise and participation in helping us keep our products secure."More