Last month, it was reported that more than 533 million Facebook users from 106 countries had their phone numbers, Facebook identification credentials, full names, locations, birthdates and some email addresses uploaded onto a hacking forum. This was caused by a security issue, a contact import functionality. Namely a tool that allows users to find the Facebook profiles of people using phone numbers, allowed third parties to scrape the data from the Facebook system and place the data onto the forum. Scraping involves using automated technology to lift information from the internet for distribution onto online forums. A loophole in the system allowed for hackers to imitate Facebook administrators to pair up users to phone numbers.
Facebook claim that the issue was patched in 2019, the latest incident was not a breach and the data has been available since the summer of 2019. Facebook has previously argued the at scraping occurred before GDPR became law (June 2017 – April 2018) and was under no duty to report to the Irish Data Protection Commission- who only learned about this incident from the media. That said, Facebook is now working with the Irish Data Protection Commission who are focussed on whether the data leaked was in fact the data previously scraped.
Some have highlighted that this exposes Facebook’s use of phone numbers as a universal identifier. Phone numbers are increasingly used to connect people to their digital presence, including the use of two-factor authentication via text message and phone calls to verify one’s identity. Phone numbers rarely change and hackers have had unlimited access to these numbers.
Accordingly, Facebook have not notified the data victims. The victims include the personal information of EU officials, including European Commissioner for Justice Didier Reynders, Federal Commissioner for Data Protection and Freedom of Information Ulrich Kelber, and Luxembourg Prime Minister Xavier Bettel. Facebook argue that the data was “old data” and due to this it could not be confident if it could contact the right people.
There is plenty of mileage left – will there be a class action brought against Facebook? Will the pressure we believe other regulators are exerting on the Irish Data Protection Commission lead to enforcement action?
It is tempting to think that this story only relates to Facebook and the huge volumes of personal data it processes. Hackers will not be interested in smaller, less data centric concerns. However, data breaches and the increasing sophistication of hackers means that all businesses need to be prepared. If a company with the resources and profile of Facebook can have its systems compromised then all businesses are vulnerable. Hiscox has estimated in 20128 61% of UK businesses suffered a data breach and that the time on average to detect the breaches is 197 days.
This data breach presents a number of key takeaways:
All business have to work on a “when, not if” basis. When a breach happens:
Who leads the response – the privacy manger (even if you do not need a Data Protection Officer someone has to be responsible for the management of data); the IT department or the Operations Team?
Are you aware of the need to notify the ICO in 72 hours. Are you familiar with reporting to and then dealing with the ICO?
Who do you need to also talk to – insurers; regulators; customers?
How easy is it for you to switch to your backed up data?
Do you have cyber insurance? What does it actually cover?
A data breach is more than an IT problem – a serious data breach will threaten any business so the management team need to know how they will manage the aftermath. There is no substitute for doing trials of the back up; having a thought out bespoke disaster recovery plan and data breach policy.
The weakest link
Although article 32 of the GDPR requires Data Controllers and Data Processors to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data, the reality is any system is only as good as its staff. No system can eliminate human error.
Effective and regular training will educate staff as to why there are procedures; how opening one malware email could jeopardise everyone’s job and why “strong” passwords are so important. If staff understand that hackers regard employees as the gateway to the system employees will be more vigilant.
When a breach is reported under the GDPR (and the DPA 1998 which the GDPOR replaced) the “staff training question” is always asked. Educating is important but without records being kept up to date as to who was trained; when and the syllabus the ICO may remain sceptical. Is privacy training part of the induction process.
Following on from this. Could your staff identify a breach and know who to contact? Are they aware that there is 72 hours and that clock does not wait until 9am next working day to start clicking nor is there a pause for weekends.
The GDPR mandates that a record of processing activities is maintained. This is not a meaningless “tick box” exercise but enables a risk assessment. This is a useful management exercise. All the categories of incoming data are identified with the subsequent data journeys understood. Where does the data originate; who processes; where is the data housed; how risky is the data (medical records; bank details; CVs etc); how long is it retained. The risk assessment will allow the management to make appropriate changes. Those staff who process the risky data will need additional training.
There is an easy temptation to equate a data breach with IT in general and hacking in particular and to assume that a breach involves the entire business’s data being compromised. However, a data breach is also letting the cleaner look at sensitive data left on an employees’ desk; not using recorded delivery or not encrypting an email for sensitive data. These are one off, isolated mistakes that can also cause a lot of collateral damage. So the staff training has to reflect how the business operates so staff are less prone to errors such as those listed above.
If the ICO discover that a business has not attended to compliance then in addition to all the business risks the business faces in the aftermath of the breach the ICO may open a second front and levy a fine. A 4% of turnover fine will damage any business’ financial health.
The issues raised go beyond the IT system. Data breaches occur without warning and unless a holistic approach is taken to firstly dealing with a breach and secondly making a breach more difficult than a business is exposing its self to unnecessary risk.