Story image

Experts and execs comment on Facebook data leak

05 Apr 2019

Yesterday, cybersecurity company UpGuard broke the news of 540mil Facebook user records being exposed on the Internet due to misconfigured AWS servers.

The leak is another strike in a long list of Facebook’s faults as it scrambles to maintain its reputation.

Here is what cybersecurity experts and executives had to say about the data leak:

Tenable co-founder and CTO Renaud Deraison

Seems like every other week a security issue is discovered in the Facebook ecosystem.

Facebook is giving third-party app developers access to user data.

That means the company’s massive trove of data is in the hands of potentially thousands of third parties all over the world.

App developers are focused mainly on bringing new offerings to market quickly - it’s what consumers have come to expect.

It looks like Facebook doesn’t have enforced guidelines when it comes to how its partners handle cybersecurity.

Ping Identity Asia Pacific chief technology officer Mark Perry

The latest reports of user passwords exposed in plaintext on public servers by Facebook is lamentable, but all too common event in the technology industry.

Tech companies are the custodians of user credentials and other personally identifiable information, a valuable resource in today's world.

Ping Identity's message to tech companies is simple: encrypt user data at rest and in transit; use up to date, off-the-shelf password hashing algorithms; don't write your own security code; monitor attack vectors like APIs using modern, threat-aware solutions; and control access to your services and applications using multi-factor authentication and fine-grained access control for everyone that touches them: end users, developers and system administrators.

CQR Consulting chief technology officer and co-founder Phil Kernick

The most recent breach of Facebook data only underscores the reality of the business models of social media platforms – the users are not the customers, they are the product.  

Your data is collected, filtered, aggregated and then sold to any business that agrees to comply with Facebook’s policy of not storing it unprotected. 

Whether these third parties actually comply is a contractual matter with Facebook and the user’s whose data is compromised have no say in the matter. 

While Facebook has recently made announcements that they will take a privacy-first approach to user data, this seems to be more a response to avoiding Government oversight than genuine care for their users. 

They’ve made these promises before. 

They’ve broken these promises before. 

Aura Information Security general manager Peter Bailey

As far as data privacy and security goes, Facebook is having a particularly bad run and the company is fast becoming the poster child for what not to do. 

First the Cambridge Analytica saga, then the security flaw that allowed hackers to access 50 million Facebook accounts… and now this.  

It’s becoming increasingly apparent that Facebook simply isn’t taking their duty of care in regards to the privacy of the data of its users seriously enough. 

Social media platforms like Facebook are about trust, if users don’t feel they can use them safely, we’re going to see more people leave the platform.

WatchGuard Technologies A/NZ regional director Mark Sinclair

Organisations need to be very careful when sharing sensitive data with other third-party organisations. 

Third parties are often a much easier target and, once compromised, can also act as a launching pad for a cyber-attack on the original organisation.  

Any organisation that shares data should be reviewing their API's to ensure controls are in place to limit sensitive data and regular audits be done on the third parties to ensure compliance to privacy regulations and IT security standards.

Digital Guardian cloud services security architect Naaman Hart

In the age of GDPR companies must realise that when they collect data they are responsible for it, regardless of whether they share it onwards or keep it themselves. 

It will be interesting to see whether litigation springs from this as I expect it might. 

In that case, the financial and reputational damage to Facebook might prompt them to ensure the companies they do business with are held to their own security standards. 

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
WatchGuard announces A/NZ partners awards
Four Australian companies were named partner award winners at the WatchGuard conference in Vietnam.
Telstra’s 2019 cybersecurity report
Cybersecurity remains a top business priority as the estimated number of undetected security breaches grows.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Why cybersecurity remains a top business priority
One in two Australian businesses estimated that they will receive fines for being in breach of new legislation.