Cyber Security Blog

How did Facebook lose control of user data and what can be learnt from it

Founder and CEO of Facebook, Mark Zuckerberg came under fire from all angles after it was revealed that millions of users’ personal data was exploited by the political consultancy firm, Cambridge Analytica.

The news of the data breach was released to the public as a result of a Channel 4 investigation that exposed the company’s tactics and the Facebook vulnerability that was exploited by Cambridge Analytica.

In a Facebook post on Zuckerberg’s verified page, the CEO admitted that “a breach of trust” had occurred, further stating that “we have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you”.

In a later interview with CNN, the founder of Facebook pledged to take action to make it more difficult for “rogue apps” to “harvest people’s personal information”.

How did the Cambridge Analytica Data Breach happen?

In 2014, consultancy firm Cambridge Analytica purchased data collected from a third-party quiz that invited Facebook users to find out their personality type.

The third-party website invited Facebook users to take part in the personality quiz by logging into their personal accounts and later prompting the user to share this personality quiz with friends on the platform.

Personal data from over 250,000 users who completed the quiz, plus some public data about the users’ friends, was collected.

Whistleblower Christopher Wylie, a former Cambridge Analytica employee, claimed that the data was then used to psychologically profile users and deliver pro-Trump content to them.

It is disputed whether this personal data was then used to influence the 2016 US election and the UK Brexit referendum, based on conflicting comments made by employees of Cambridge Analytica during the investigation into the company.

Cambridge Analytica’s Chief Executive, Alexander Nix, was suspended on Tuesday as a result of secret footage emerged of him stating that the company ran Donald Trump’s digital campaign during the 2016 presidential election.

Many US senators have called on Zuckerberg to testify before US Congress about how his company will protect users, while an investigation has reportedly been opened into Facebook by the US Federal Trade Commission.

What were the consequences of the Facebook data breach?

Significant data breaches are capable of causing irreparable damage to a company’s reputation and can cause users or customers to lose trust in the company’s ability to keep their personal data safe.

It’s not only users who have lost confidence in Facebook. It has emerged that the ISBA, a trade body which represents major UK advertisers, met with Facebook to review the breach and discuss actions necessary to be taken by the social media platform.

In addition Mozilla, creators of the popular Firefox web-browser, announced that it would stop advertising on Facebook following the controversy.

The not-for-profit organisation said that it was “pressing pause” for its advertising on Facebook until the company was able to provide better protection for its users.

This is a strong indication that if Facebook fails to provide significant assurances that it can maintain the security of users’ data, more advertisers may follow Mozilla’s lead and distance themselves from the social media platform.

This news also follows the trend of companies not admitting to fault and protecting their users at the first point of a breach. In Zuckerberg’s Facebook post he made a statement of events, providing a timeline that showed Facebook had been aware of the issue since 2015.

A data breach can seriously damage the reputation of your business as a trusted and respected organisation. It can also impact heavily on the future of your company as the relationship between your business and your customers will in some cases be irreparably damaged.

In July 2018, the UK’s data protection watchdog, The Information Commission Office, said it intended to to fine Facebook £500,000 for data breaches. Saying that Facebook had failed to ensure that Cambridge Analytica had deleted users’ data.

How can businesses avoid data breaches in future?

If your organisation handles personal information, you have a number of legal obligations to protect that information under the Data Protection Act 1998. Whether you’re a tech giant like Facebook with billions of users or a small business with 100 clients, your customers put their faith in you to keep their personal data safe.

Data breaches have been one of the biggest drivers behind the development of the General Data Protection Regulation (GDPR) that comes into full effect on the 25th of May 2018.

8 Easy Principles of Data Protection to Apply to Personal Data

You need to have an effective data protection policy in place that includes the 8 principles of data protection, which says that data should be:

  • Used fairly and lawfully.
  • Used for limited, specifically stated purposes.
  • Used in a way that is adequate, relevant and not excessive.
  • Accurate.
  • Kept for no longer than is absolutely necessary.
  • Handled according to people’s data protection rights.
  • Kept safe and secure.
  • Not transferred outside the European Economic Area without adequate protection.

Having effective data protection procedures in place and making sure that your staff are familiar with those procedures can greatly reduce the risk of a security breach.

What Does the Cambridge Analytica Breach Mean for the Future of Facebook?

This isn’t the first time a major company has been involved in a large data breach and it won’t be the last. But one thing is for certain, data breaches can affect any organisation and the effects can have drastic financial consequences.

Recently there have been a number of large data breaches exposed in the news ahead of the GDPR deadline including Uber and Equifax in just the last year.

However, there is good news on the horizon for those who are concerned about data breaches becoming a growing trend. The GDPR will help to halt future data breaches and encourage better etiquette by businesses and organisations no matter how big or small.

If you want to know how to protect your business make sure to look at our guide on how to become GDPR compliant.
If you’d like to know how you can minimise the risk of a data breach in your organisation, visit our website to find out more about our Cyber Security Awareness Training courses.

Want to see more articles like this? Sign up to our mailing list to receive more insights into cyber security.

To stay up to date with the latest news and articles from Bob’s Business, follow us on Twitter, LinkedIn and Facebook.

Please follow and like us: