Cambridge Analytica Breach Reveals Facebook’s Weak User Data Defenses

NEWS ANALYSIS: The misappropriation of 50 million Facebook profiles for political data mining without user consent may not directly affect your organization, but the conditions that allowed it to happen certainly do.

Facebook Data Mining

The revelations over Saint Patrick’s Day weekend that Facebook allowed a data mining company to gather the records of 50 million American users is just the most recent case in which the social network has failed to prevent access to user records. 

 Facebook has been the subject of previous privacy investigations by the Federal Trade Commission that culminated in a consent decree in 2011 and a warning letter in 2014. 

The data loss occurred when a researcher at mining firm Cambridge Analytica offered to pay some Facebook members to conduct research. While those users were told that their personal profiles would be used, what actually happened is that the researchers also obtained the complete profiles of their friends. 

“Facebook should have never disclosed this data to a third party,” said Marc Rotenberg, president of the Electronic Privacy Information Center said in an email. “But the FTC dropped the ball. It simply failed to enforce its own legal judgment.” 

But Facebook failed to protect the data. The company apparently found out about the data loss in 2015, and asked Cambridge Analytica to erase the data it had gathered improperly, but according to an investigation by the New York Times, this never happened. 

It would be bad enough if this were an isolated case, but the fact is that Facebook is rife with data miners according to a report in The Washington Post. Those data mining operations frequently appear as games or apps that attempt to provide entertainment, but they share one feature–they ask permission to gather your profile information and they also go after your friends and gather that information as well. 

If your company has a presence on Facebook, which is likely since it’s widely used by organizations as a way to provide customer service and to gain a positive social presence, then any data your organizations has placed on Facebook is essentially public, regardless of whether you intended that or not. 

Your employees’ activities on Facebook present another risk. Those data miners, including Cambridge Analytica, which boasted during an investigation by the UK’s ITN that it used a series of tricks including honey pots and extortion to get information from employees of companies it targeted. According to a report in The Guardian, the company was even willing to use the information it obtained to create sex scandals. 

What this means is that your employees can be seen as a source of information about your company on Facebook. Even if your company page contains only information that you’ve vetted as being appropriate for public consumption globally, you’re not out of the woods. 

Anything your employees say about your company, whether it’s in public on not, is there for the taking. While Facebook allows users to restrict information to friends, for example, if one of those friends decides to share, it’s still accessible. 

But, you can’t just pull your company off of Facebook and be safe. But there’s a lot you can do to limit how what a bad actor can do to hurt your company or your employees. 

First, really look at your Facebook presence. Scrutinize every entry and every link on your page. Look at every photo in detail. Confirm that none of the information you’ve posted can possibly cause you a problem. 

Next, look at the items posted by others, whether they’re customers or employees, and take down any that reveal information about your company that should not be public. 

Also be aware of the Facebook activities of your senior staff. It may not be possible—or even desirable—to eliminate a mention of their role in the company, but you should be aware of what they’re saying about the company. Where possible you need to discourage posting of information related to your projects, developments or plans. You should discourage discussion of development or management tools in use in your company and you should discourage detailed discussions of technical or business capabilities. 

The reason for this level of caution is that it becomes vastly easier for a hacker to break into your company if they know what systems you’re running and easier yet if they can use publicly available information to discover credentials. Think about it—if you use an email address as your default login to the company network, then publicizing your employee email addresses makes it easier for the hackers. 

But the risk goes far beyond just opening up an avenue for hackers. Private information found on Facebook can also be used by cyber-criminals as a way to get further information about your company or your organization’s leadership, which can then be used to work their way into your network, or to your business relationships. 

While Cambridge Analytica, which says in light of the recent revelations that it did nothing wrong, may limit its work to the field of politics, they’re not the only company looking for data on Facebook. Those other data miners are still there, and they’re looking for information on your organization. You have to be vigilant to keep them from finding it.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...