Facebook announced on Friday that as many as 50 million of the platform’s social media accounts had been hacked giving attackers access to user’s personal information. As some call for greater oversight and regulation, the company is already facing potentially stiff fines in Europe.
Cipher Brief Expert and former Deputy Director, U.S. Cyber Command, Kevin McLaughlin offers the following things to consider:
While people are reacting strongly to this breach, it’s worth remembering that the 2015 Office of Personnel Management (OPM) breach compromised the personal and private data that was collected from background investigations of millions of people, to include not only their PII data, but sensitive data on medical, legal, and other areas that are contained in background investigations. So compromises of large volumes of data containing our personal information is not a new thing.
That said, large social media and tech companies like FB, Twitter, and Google not only have PII on their users, but might have much deeper insights on their users that if compromised, could open them to more than just identity theft, but to more sophisticated threats such as blackmail, personal reputation attacks, as well.
Imagine how Judge Brett Kavanaugh’s yearbook and calendar are being used in the confirmation process and then think about how a nation-state, criminal group, or political group could use years of private social media, email, web surfing history, location data, etc. against an enemy. The data they collect, analyze, and use is already under scrutiny, but now we need to worry about whether its very existence in a single repository is a new problem to manage.
One thing to consider is whether there should be more independent oversight and management of these companies. Each is very private about their own internal software, tools, and security practices and each thinks their “stuff” is the best. Some independence, whether through regulatory pressures from the government, or forcing them to have independent security audits by objective third parties (similar to how accounting firm independence is often required) might be worth considering.
