Woman's hand tapping the Facebook screen on smartphone showing account takeover after data leak

What Can Brands Learn From the Facebook Data Leak?

The data scraping attack that exposed 533 million Facebook users’ personal information may not seem like a problem for eCommerce brands. Much of the media analysis of the leak has focused on how Facebook delayed reporting the incident, downplayed the severity and planned to “normalize” data leaks. However, any data leak or breach poses a threat to brands and merchants, and they need to know how to protect their business.

While it’s true that the scraped data didn’t include passwords or credit card numbers, it did include information that fraudsters can exploit, like phone numbers, email addresses and locations. That creates opportunities for scammers to impersonate brands, phish their customers, take over their accounts and make fraudulent purchases. These kinds of fraud can erode customers’ trust in brands and stick brands with lost revenue, higher fraud costs and expensive reputational damage. Here’s how brands can safeguard their social presence, protect their customers’ data and avoid account takeover fraud after massive data leaks like Facebook’s.

Protect your brand on social media

Because data breaches often lead to phishing attempts against the people whose data was exposed, and because brand impersonation is a common phishing strategy, brands should monitor social media and the web at large for impostor accounts, user profiles and websites. Report social media impostors to the platform and report impostor websites to their web hosting service.

Keep in mind that scammers can also hijack your legitimate social media accounts to steal data and misdirect customers to phishing sites. Protect your brand’s social media handles by

  • restricting login access to a small group of trusted people.
  • using strong passwords and two-factor authentication.
  • protecting your company’s devices and networks with security software to prevent intrusions.

You can also use your social platforms to remind your followers that your brand will never ask them for their login credentials or payment information on social media, via email, by text or over the phone.

Build or review your brand’s incident response plan

Every business needs a response plan before they experience an intrusion or a data breach, so you can move quickly to limit the damage and salvage your customer relationships. The SANS Institute’s recently updated Incident Handler’s Handbook is available online. In 19 pages, it outlines what you need—plans and equipment—to respond fast in case of an attack on your business.

It also describes the key elements of a good response plan:

  • Preparation, including response policies, communication plans, designation of response team members, and more.
  • Identification of suspicious or malicious activity in your networks, email system or website.
  • Containment of threats by isolating affected equipment and network segments and taking forensic system backups.
  • Eradication to remove threats from affected machines and networks and restore them to working order.
  • Recovery to bring restored systems, websites, and equipment back online with testing and monitoring.
  • Reviewing lessons learned to avoid similar incidents in the future.

While your technical response team is going through these steps, your communications team should fulfil any reporting requirements to comply with GDPR, CCPA and other applicable data privacy rules. To retain your brand’s credibility, they should also inform your customers and the media about the extent of the breach and what you’re doing to fix the problem.

Watch for signs of ATO fraud after major data breaches

A data breach of your store that includes login credentials can quickly result in ATO fraud. However, data breaches of virtually any company can lead to spikes in eCommerce fraud, because so many people reuse passwords for multiple accounts. Even in a situation like the recently disclosed Facebook incident, which didn’t include passwords, phishing attacks can lead to ATO fraud if scammers can trick the affected social media users into sharing banking, online shopping or social account logins.

ATO fraud can be hard to spot because the orders seem to be coming from good customers. Machine-learning fraud control algorithms can identify unusual behavior which can indicate fraud, such as logins from new devices and locations, purchases that deviate from the customer’s past patterns, and shipping to new destinations.

When your fraud controls raise flags, there’s another step to take to protect your brand: Manually review the flagged orders instead of automatically rejecting them. The extra step of having a fraud analyst review suspicious orders can prevent you from losing revenue on a good order and offending a good customer.

This matters a great deal, because 39% of consumers in a five-country March 2020 Sapio Research survey for ClearSale said they would never do business again with a merchant that rejected their order. A quarter of them said they’d post on social media about the rejection, which would spread the brand damage. So, combining machine learning with manual review can protect your brand from data breach-driven ATO fraud and from the harm that false declines can do to your customer relationships.

Brands need to safeguard their social presence, protect their customers' data and avoid #accounttakeover fraud after massive #dataleaks like Facebook's. #cybersecurity #respectdata Click to Tweet

Data breaches are an ongoing problem

There were 1,001 documented data breaches in the U.S. alone in 2020, affecting more than 155 million people, and the number of breaches has trended upward over the past decade. The data they’ve exposed can be useful to scammers for years. All of that means brands need to stay vigilant about protecting their own data, having incident response plans, and thoroughly screening orders to weed out fraud while making sure that good customers can complete their purchases.

 

Executive Vice President at ClearSale