The Cybersecurity 202: A massive Facebook breach underscores limits to current data breach notification laws

But the company doesn’t appear to have notified users about the attack in 2019 — or since the massive data set appeared online free late last month. Facebook declined to answer if it had ever informed affected users of the breach.

The inaction has met criticism in Washington, where lawmakers have recently ramped up efforts to strengthen requirements for how companies notify consumers about data breaches.

“Regardless of whether Facebook identified and fixed this issue in 2019, it failed to ever disclose this serious breach to impacted users,” Sen. Mark R. Warner (D-Va.) wrote in a statement. “You cannot simply brush away the disclosure of over half a billion Facebook users’ personal information.” 

Rep. David N. Cicilline (D-R.I,), chair of the House Judiciary antitrust subcommittee:

Despite previous legislative efforts, there is currently no national data breach law requiring companies to disclose when customer information is exposed.

The Federal Trade Commission, which has fined Facebook for policy violations in the past, also has little recourse.

The FTC also doesn’t enforce any regulations specific to data breaches. It can bring such cases under its general authority to prevent deceptive and unfair business practices, Maureen Ohlhausen, a partner at Baker Botts and former commissioner of the Federal Trade Commission told The Cybersecurity 202.

For instance, in 2019 the agency reached a $700 million settlement with Equifax over a 2017 breach of 147 million people.

There’s a key difference however: the Equifax breach involved non-publicly available personal information including Social Security numbers. Ohlhausen said she can’t remember a time when the agency brought an enforcement action for failing to notify consumers about a breach involving publicly available information.

Facebook settled with the FTC for a record $5 billion dollars for violating user privacy in July 2019. That means depending on when Facebook cut hackers off from the vulnerability used in the 2019 breach, Facebook could be protected from further action. That’s according to Ashkan Soltani, a former Federal Trade Commission chief technologist who was at the agency when it issued a 2011 consent order against Facebook in connection with user privacy violations.

States with strong privacy laws, namely California, could still step in however, he says. Regulators in Europe, where privacy standards are much stricter, are also expected to weigh in.

Some members of Congress want stricter laws.

Lawmakers have in recent years pushed for laws requiring companies across industries to alert customers to data breaches. But their efforts have fallen short. Now many, including Warner, are hoping the fallout from the sweeping SolarWinds hack — which could have gone unnoticed for months had private security firm FireEye not voluntarily notified the government —  will spur action. Several bills addressing the problem are expected in the coming weeks.

Cybersecurity experts warn that Facebook users should take the breach seriously.

“Such information is a goldmine for scammers,” Daniel Markuson, a digital privacy expert at virtual privacy network provider NordVPN said. The free information could be used in any number of attacks manipulating users into sharing personal information. That’s especially concerning during the pandemic, when email and phone-based cyber scams are on the rise, he notes.

Other experts shared similar warnings. Security researcher Troy Hunt:

Rachel Tobac, chief executive of Social Proof Security

And while phone numbers and emails may not be as immutable as something like a Social Security number, users don’t change them that often. Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation:

Soltani found that, at least in the case of his account, the phone number he provided Facebook for verification was included in the data set alongside the phone number associated with the contact information on his profile. 

Soltani called Facebook’s efforts to downplay its role in the attack deceptive.

Even if the data was largely publicly available, as Facebook argues, the company allowed hackers to package that information into a much more valuable package linking phone numbers, names and email addresses all in one place.

“It doesn’t absolve Facebook of the liability to have essentially disclosed and notified consumers that their information might have been linked,” he said.

Facebook doesn’t offer a means of finding out if your data was involved in the breach, but the popular data breach website “have I been pwned?” allows users to search the leaked data-set.

Prominent figures such as Facebook CEO Mark Zuckerberg were affected by the leak, F-Secure researcher Mikko Hypponen notes:

The pressure is on for Congress, social media activist group Sleeping Giants wrote:

Joan Donovan, research director at Harvard’s Shorenstein Center.

Hackers leaked personal information — including Social Security numbers — that belonged to members of the Stanford community, the Stanford Daily’s Daniel Wu and Sam Catania report. The university is the latest victim of a cyberattack that hit users of Accellion’s file-transfer software. 

The University of California and University of Miami also announced their data was stolen in the Accellion attack, with the former saying students and employees were affected. A hacker group has threatened to post large amounts of information if ransoms aren’t paid. 

Stanford did not respond to questions about the data breach and the university’s actions to safeguard personal data.

One major factor contributing to the uptick is the rush by organizations during the pandemic to move their workflows to the cloud, which can be accessed remotely unlike some other servers.

“The biggest takeaway is when organizations have sudden increases in cloud workloads it leads to dramatic increases in security incidents,” says Matt Chiodi, a chief security officer at Palo Alto Networks.

Researchers also found that nearly a third of organizations are hosting sensitive data in the cloud without proper security controls.

A letter to companies like Google and AT&T was signed by five Democrats — including Senate Finance Committee Chairman Ron Wyden (D-Ore.) — and one Republican, the Wall Street Journal’s Patience Haggin reports. The anonymized user data gathered during the digital auction process can be used by data brokers, who resell the data.

“The United States is not the only government with the means and interest in acquiring Americans’ personal data,” the senators wrote. “This information would be a gold mine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns.” The lawmakers asked for a list of foreign companies to whom the data was sold.

The most recent defense authorization bill had 380 percent more cyber-related provisions than the fiscal year 2017 bill, Third Way’s Michael Garcia writes. “With ransomware and cyber incidents at an all-time high,” Garcia wrote, “Congress should either include a new title in future Defense bills to bolster US cyber enforcement and civilian agencies’ capabilities or pass a cyber-omnibus bill to fix policy gaps and provide commensurate funds to federal and local agencies to combat malicious cyber activity.”

• Former State Department cyber coordinator Chris Painter speaks at an event hosted by the Business Council on International Understanding today at 10 a.m.
• The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) hosts a webinar on the role women play in the cybersecurity community today at 1 p.m.
• Tim Maurer, a senior cybersecurity aide to Homeland Security Secretary Alejandro Mayorkas; former CISA director Chris Krebs; former CISA attorney-adviser Kemba Walden; and former National Security Council cybersecurity coordinator Michael Daniel speak at a Center for Strategic and International Studies event on DHS’ cyber mission on Wednesday at 11 a.m.
• Rep. Yvette D. Clarke (D-N.Y.), who chairs the House Homeland Security Committee’s cybersecurity subcommittee, speaks at an event hosted by the Cybersecurity Coalition on April 7 at 2:30 p.m.
• Eric Goldstein, CISA’s executive assistant director for cybersecurity, discusses the Biden administration’s cybersecurity priorities at an American Transaction Processors Coalition event on Wednesday at 3 p.m. 
• Former president Donald Trump’s acting homeland security secretary, Chad Wolf, discusses the SolarWinds cyberattack at a Heritage Foundation event on April 12 at 1 p.m. Russian hackers accessed Wolf’s emails as a result of the attack.