Facebook announced that it experienced a breach last week that lost 50 million users’ data. Ironically, the breach happened in part due to exploited bugs in three features developed to give users more control over their privacy. Some quick key lessons to take away from this breach:
- This is just the beginning of breaches in the platform economy. It is easy to forget just how many users Facebook has. In Q2 of 2018, Facebook had 2.234 billion active worldwide users. In truth, 50 million users is just a small fraction of their overall users. However, the platform economy of today concentrates users and their data to a few mega-firms that become prime targets for attack. If criminals rob banks because “that’s where the money is,” then hackers will attack platforms in the data economy since “that’s where the data is.” Large concentrations of data are hard to resist.
- These features were created in a rush to show Facebook’s commitment to greater privacy. After spending most of 2018 pretending it had not operated with scorn for user privacy in the 10-plus years since its inception, Facebook promised a newfound commitment to transparency and privacy. Those promises required follow-through, requiring Facebook to release several new features for end users. Companies frequently rush to publish new features — in fact, an old Facebook motto was “move fast and break things” — but this is not an excuse to forgo security tests or controls. In the age of the customer, new features are fundamentally expected to provide secure and safe experiences, not just new functionality. Had Facebook cared about privacy before Cambridge Analytica’s whistleblower made the news, these controls may not have been deployed with security flaws.
- This breach represents another hit for Facebook’s already battered privacy and security. As this is just another event in what seems like a very bad year for Facebook and privacy and security, we must wonder if what has come before this breach is part of what caused it. Facebook is in search of a new CISO, scrambling for proof of privacy after the Cambridge Analytica leak, all while trying to show they are above data losses such as when their search tool lost most of its 2 billion users’ data. The internal strife and competing priorities must be tough to balance. This year’s chaos may have contributed to poor application security or at least consumed security resources that allowed these flaws to slip through. Facebook needs to commit to a superstar security leader, and that leader needs to help hold Facebook accountable for the security and privacy promises it makes.
- GDPR forced Facebook’s hand. With the advent of GDPR, companies are forced to notify affected customers about a data breach within 72 hours. Before GDPR, companies that were embarrassed — or just wanted to hide their poor security practices — could try to hide these breaches. This new world — thankfully — forces companies to face their mistakes and fix them or show themselves as not caring about customer security and privacy. This means that the initial notification will lead to more questions than answers; it also removes the ability to hide behind “neither confirm nor deny” Glomar statements. Facebook is now on the hot seat to provide investigative details about what happened, when, and what was affected as a result. This level of transparency is impossible without regulation like GDPR and CCPA.
- Customer app and service security is a requirement. Guy Rosen, Facebook’s vice president of product management, explained the combination of bugs that led to the data breach in a call with the press today. I’m betting that on Monday morning Mr. Rosen did not expect to end the week explaining a chain of bugs that led to users receiving a forced logout notification. Product managers are often said to be “CEO of a product,” which means they need to make security an executive priority. Securing your customer-facing applications, products, and services must become a product management priority, and security teams are here to help. Stay tuned for more research on this topic from us soon.
What To “Like” About Facebook’s BreachTake note of the following considering the Facebook breach:
- Facebook has done a good job of responding . . . so far. The details Facebook has shared have been specific and transparent. This response is in stark contrast to pre-GDPR responses, where cover-ups and too much time between breach and notification were all too common.
- Platforms bring new risks. Almost every business we speak with talks about enabling internal and external platforms. Increasing connectivity, Agile development, and platform business models means breaches can rapidly expand in size and scope. Three software flaws allowed attackers to make use of the very nature of the platform to exponentially expand the initial attack and harvest those accounts. This is one of the risks that the platform economy brings to companies and highlights the increased importance of application security.
- Security and privacy issues have a long tail. As mentioned earlier, Facebook is still recovering from the beatings it received at the hands of government in the US and UK earlier this year. Just a few months later, a data breach occurs, consuming more bandwidth and attention from executives and practitioners. No one can doubt that Facebook has had to sideline internal projects and initiatives to scramble and deal with the issues this year presented for them. Facebook rose to prominence with a reckless disregard for user privacy, but karmic retribution arrived in 2018 in the form of whistleblowers, regulators, and hackers. Put simply, your company must pay attention to security and privacy now or face it later when inattention turns into emergency.
(This post originally appeared on the Forrester Research blog, which can be viewed here).