A failure to protect

Facebook has suffered a succession of serious data leaks that have left customer data worryingly exposed. The company's past promises to reform its processes and protect these precious assets seem little better than hollow and worthless

Facebook recently experienced yet another serious data leak, this time exposing phone numbers linked to 419 million user accounts, unprotected by any password. Each of these data records contained both the Facebook ID unique to every member and the phone number that was listed as being connected to that account. And all this despite Facebook stating a year and a half ago that it was making changes to "better protect people's information" by restricting access to this data. In that announcement, Facebook also said: "We know we have more work to do" - which has indeed been confirmed by this massive, and massively embarrassing, data leak.

Facebook scandals have continued to dominate the headlines over the past couple of years, with incidents of frequent data mismanagement creating widespread criticisms over the failures of major organisations. "In the modern world, information is power and, with the very nature of its business model, trading data will always be a central aspect of Facebook's plans," states David Emm, principal security researcher at Kaspersky. "However, this must be done in a secure way, and with people's knowledge and consent. After all, whether it's your interests, images or date of birth, social media apps collect a whole host of personal information - which can have disastrous consequences, if managed or stored incorrectly. Ultimately, consumers' data safety boils down to two things: can an online provider guarantee that it secures all of this information by encrypting sensitive data; and can it ensure that it never shares this data with any third parties without permission?"

Referring to the latest Facebook failure, Emm comments: "This incident cannot be described as a breach; instead, it's a leak. With 419 million account details stored on a non-password protected server, the scary thing is that anyone could access this sensitive data. Perhaps the most worrying thing about the leak is the phone numbers, given just how valuable mobile numbers have become in the current climate. With more and more online services incorporating mobile numbers into multi-factor authentication, they are becoming an incredibly profitable asset for cybercriminals."

As a result, consumers should consider limiting what they share and, instead of having one-time passcode sent to their mobile, using a one-time passcode on a mobile app instead, he argues. "Once a provider has personal data, including mobile phone numbers, there isn't much that consumers can do to avoid giving data like this."

So, what needs to be done to help avoid a recurrence of a potentially devastating leak like this? "The real pressure to address this issue lies with Facebook, which must take far more care when protecting sensitive personal information," says Emm. "Simple though it may seem, by ensuring that all of this data collected from consumers is encrypted and is only accessible to authorised personnel, Facebook can avoid similar incidents moving forward. No matter its scale or financial resources, every business must accept its sole responsibility to safeguard consumer data.

"For all of the debates surrounding how liable Facebook is, the reality is the following: it has responsibility to guarantee that this data is secured properly and not on unsafe servers. Many people will be understandably wary about trusting Facebook with such personal information, given the company's recent track record. Facebook has a great deal of work to restore consumer trust. These events should be a chilling reminder to all organisations about the extent to which exploiting your customers through poor data management can inflict significant reputational damage."

When it comes to data leaks, we often imagine hackers who use criminal methods to crack passwords and seize private information. However, with a host of new scandals surfacing over recent years, how can large, financially well-equipped companies secure their data? "Both cloud providers and users play a role in protecting data from unwanted attackers," says Sab Knight, head of UK sales at 1&1 IONOS. "Insecure databases, or fragile encryption technologies on the part of the providers, are recurring themes in cyber-attacks. In addition, users need to improve weak password, be vigilant about phishing attacks and be mindful of business models that exist to sell user data to the highest bidder - for example, Cambridge Analytica."

However, one important data leak that is often ignored is those by government methods, he points out. "What many do not know is that US authorities can legally access data in the cloud if it is located in data centres of US cloud providers - even if these data centres are located outside the USA. This falls under the US CLOUD Act legislation. In some cases, US authorities don't even need a court order and cloud providers are not actually obliged to notify their customers, if such access takes place. This affects all major US providers, whether social networks, search engines or cloud infrastructure providers, where sensitive business data is held.

This poses a real issue for European companies that are GDPR compliant, due to conflicting requirements with the US CLOUD Act. "According to EU rules, EU Cloud providers must ensure that the data they handle is not shared with third parties," adds Knight. "If access to this data is granted on the basis of the US CLOUD Act, the EU company would have to violate GDPR. On the other hand, if the cloud provider refuses to hand over the data, it is in breach of US law."

For EU companies, no matter the size, the current solution to this issue is to choose cloud providers based in the EU that do not store or process data anywhere other than European data centres. "Sensitive personal and business data must be kept out of the sphere of influence of the US CLOUD Act. Companies should instead rely on an experienced GDPR-compliant European service provider, one that processes their data according to the current highest data protection and data security standards, and that will continue to support this in the future."

Of course, it isn't only Mark Zuckerberg's megacorp that has failed to honour its commitments to keep clients' data from harm. "It's a given that, at some point this year, a large enterprise will leak a large cache of personal data," says Paul Donovan, VP EMEA, Pulse Secure. "Facebook, Yahoo, Marriot International: all household names that between them have unintentionally disclosed billions of records." Data leaks predominately happen in three ways, he adds. "The first is through an active hacker attack where defences are breached and the cyber criminals steal data. Next is the sieve where, through poor design or processes, data is not secured and is in effect funnelling out of an organisation - as in a couple of recent examples, pooling in unsecured cloud storage, due to a developer oversight. Lastly, there is accidental or, in some cases, malicious disclosures. In the old days, this was a lost laptop or misplaced USB. Today, a fat-fingered employee or disgruntled manager can open the data flood gates."

How do you stop it? "The answer is: you can't," concedes Donovan. "But you can make it much less likely. The fundamental shift requires organisations to move to a model where all requests for access to applications and data require authentication. This means adopting a Zero Trust approach, based on least privileged access, which negates trust of users and things by default, even if inside a network perimeter.

"The model proposes increased user, device and security posture verification closest to the resource, as well as centralised, granular policy management. Where possible, the model suggests separating the control plane, which is used to determine if a transaction should be allowed, based on control attributes, such as identity authentication, from the data plane where a protected, trusted transaction occurs directly between entities."

However, it is almost certain that at least some of these headline breaches would have deployed elements of Zero Trust and still had millions of records exposed. "The issue for many organisations is that badly implemented security controls can inhibit productivity. As a result, organisations or even individuals, from developers to CEO, may well circumvent security to gain a productivity edge. The solution is not chastisement, but for IT departments to adjust policies and controls, as well as education, to minimise this effect. As a practical example, invoking notification response, rather than denial for some policies, will inform users to change their behaviour. Automating endpoint remediation functions or redirecting users to self-remediation portals prior to access can also reduce future potential connectivity issues," he advises.

The last issue is testing. "Globally, enterprises spend around $120 billion annually on IT security products and services. Yet the penetration testing market is somewhere between $1 to 2$ billion, which suggests that organisations are still focused on building walls and less on finding out if they are sturdy."

Facebook's business model is built around gathering as much data as possible, from as many people as possible, and then monetising that data through a vast advertisement network, points out WatchGuard senior security analyst Marc Laliberte. "Any organisation whose primary asset is data becomes a prime target for threat actors wishing to steal that data. For Facebook specifically, the threat is compounded by a business model built on sharing data with third parties. Many people don't realise that the Cambridge Analytica 'breach' several years ago, that put Facebook's privacy practices under the spotlight, wasn't even a breach. Cambridge Analytica was operating fully under Facebook's own policies at the time as they were harvesting information from millions of users."

There is no denying that Facebook is a cultural phenomenon with more than 2.4 billion active users as of most recent counts, he adds. "That success has put a lot of pressure on Facebook to be a leader in privacy and data breach defence, something they are sadly still failing at. "The latest Facebook privacy scandal, leaking 419 million phone numbers, would likely have not even made the news, were it any other company. But Facebook should be doing a better job than they are, because of their prominence. There is simply no excuse in 2019 to leave a database full of customer information exposed to the internet, even if they are just phone numbers.

"One would think that an organisation with as much revenue as Facebook would have one of the strongest cyber defences on the planet, but it's clear that the target painted on their back outweighs their defence investment," states Laliberte. "The good news is, every organisation can learn from Facebook's (many) mistakes. This latest incident for example, highlights the need for better database and cloud storage security practices. If you utilise cloud-based data storage, as you likely do, perform regular audits to ensure data is only accessible by those who explicitly require access.

"We can also learn from previous Facebook breaches, like the chain of vulnerabilities an attacker exploited back in 2018 to obtain full access to tens of millions of accounts. Web application vulnerabilities are still a major threat vector, and organisations that maintain a web presence should ensure they've taken time to audit and monitor their tools.

Laliberte doubts that Facebook will ever regain what little trust they had with their users' privacy after the recent deluge of breaches, but that doesn't mean people will stop using its services any time soon. "With Facebook, and any other social media platform," he concludes, "we simply have to do the best we can at limiting the amount of information we provide and accept that anything we give up will likely become public at some point in the future." Not the most hopeful verdict.


A serious data leak has seen one major car components manufacturer suffer a $37 million-plus loss. Yet the business email compromise (BEC) attack could have been prevented with the correct awareness training, argues Carl Wearn, head of E-Crime at Mimecast.

"Impersonation emails, particularly those purporting to be trusted third parties or senior company officials, are increasing. Their sophistication is also increasing, and I expect this trend to continue and potentially accelerate with the use of machine learning,” he cautions. "Organisations need to ensure that processes are in place to verify any change in payment details via known trusted sources and means. Under no circumstances should an email alone be accepted on face value, even if claiming to be from a trusted source. These may additionally contain malware in any attachments."

Individuals in particular positions of trust within any organisation, such as HR, finance, IT administrators and senior company executives, need to be particularly vigilant for impersonation emails. "And employees should also be wary and prepared to verify any payment or invoice-related requests received by email and supposedly from these key individuals. Criminals are increasingly actively seeking to exploit simple human processes, and the trust between individuals and organisations to make money. As the use of this attack vector is increasing, organisations need to ensure verification processes are implemented as soon as possible. Without them, as this example shows, significant losses can result."