On Thursday, Brian Krebs posted another riveting story about the largest social media company in the world. This company owns two of the three largest social media networks. You’ve guessed it, Facebook is in the news again.
The company has had serious privacy issues over the past 13 years, internal and external.
• 2006: Unveiled the “News Feed” which broadcasted your activity to your friends account without your permission. After an initial pushback, many people couldn’t live without this feature today.
• 2013: A White Hat hacker, an ethical hacker, identified a code bug that released users’ email address and phone numbers to anyone that knew some information about the them.
• 2014: Facebook selected a sample of users, without their knowledge, and attempted to test the change in their mood if they were shown predominately positive or negative posts.
• 2014: Prior to the 2016 Presidential election, Cambridge Analytics harvested the information of 50 million users to use for political advertisement.
• 2019: 29 million accounts were scrapped for personal information by third-party’s taking advantage of bugs within the Facebook code.
At this point we are not sure of the full scope of the latest security issue but Brian Krebs reported “hundreds of millions [200 – 600 million per Facebook] of Facebook users had their account password stored in plain text [not encrypted] and searchable by thousands of Facebook employees.” This includes Facebook, Facebook Lite and Instagram and dates back to 2012. I’m glad I closed my Facebook account over 7 years ago.
The most urgent thing you need to do is change your personal and company’s Facebook and Instagram account passwords. There is no reason to wait for more information from Facebook about this issue.
I hope to cover the technical suggestions in more detail in coming months through these articles or conversations with you directly. Managing the data lifecycle is more important with each one of these events. Here are some things you can do:
• Create a repository of data, location (databases, servers, internal, external, etc) and level of criticality
• Map out how the critical data flows through the business processes and technology. This goes well beyond mapping the physical infrastructure.
• Consider encrypting data-at-rest
I would contend most of us do not know or care if our unencrypted passwords resided on a server owned/managed by Facebook or a third-party provider. Likewise, your customers (and employees) probably do not care where their data physically resides. They hold you accountable for securing their data. Your company should take responsibility in ensuring data is secure throughout the entire data lifecycle. Keep that in mind as you continue to develop a mature data security posture.
About the Author
Stephen is a Manager at YHB and serves on the Risk Advisory Services Team. Stephen has extensive experience in IT Audit and Advisory Services. His background includes internal and external IT Audit services for state and federal agencies and Fortune 500 companies in retail, manufacturing and financial lending