Research and Analysis of 2018 Facebook Data Breach that Earned Me Grade 93/100 (Distinction)

Introduction

Facebook Inc. is one of the tech giants in America, an information technology conglomerate with a specialization in social networking services, machine learning, and deep learning. Facebook was founded by Mark Zuckerberg alongside his student roommates at Harvard College to provide a platform for the students to connect and network. TheFacebook.com which was the social network platform created for the then Harvard College students is today’s Facebook.com and is now widely used across the globe.

I choose this organization because they typically deal with huge user data which are personally identifiable information (PII) and have over time become targets of cybercriminals with different data breach incidents. Due to these attacks, Facebook has sustained a wide range of experience in incidence response, risk management, and mitigation techniques. There is a lot that can be learned from this organization about the cyber incidence.

Summary of Incident

The year 2018 was a tough year for Facebook; the organization experienced a handful of data privacy issues, litigation, and a huge fine due to non-compliance with data privacy regulations and data breaches. Sequel to these occurrences, on Friday 28th September 2018, the organization announced a vulnerability that led to a data breach or data infiltration.

‘View As’, a feature on the Facebook website that enables users to view how their profiles look like and how their connections and friends, friends of friends on the platform would view their profile information became the attack surface that attackers exploited to gain access to Accounts of 50 million users.

This feature became vulnerable due to interaction between multiple bugs. The vulnerability created a security flaw that allows attackers to steal Facebook access tokens which gave them total control over user accounts. An access token is a powerful digital key that helps users to remain logged in to Facebook without the need to log in with their credentials every time they want to use the app

With the control the attackers had over those accounts, they used an automated technique to traverse from account to account so that they could gain the access token of the friends and the friend of those friends that were connected to the accounts they now control, hence, they used this automated technique to access the profile information of these accounts.

Some of the data that was accessed by the attackers are names, contact details such as an address, phone numbers, emails, and other details people have on their profile such as username, relationship status, religion, location, language, current city, education, work, date of birth and so on, though the leaked profile information is peculiar to what individual users have on their profile.

Facebook discovered that there was an unusual rise in the activities on the website, and then the organization initiated an investigation. After much investigation of these unusual activities on the website, they discovered that it was an attack and identified the attackers' vulnerability. In the space of two days, they mitigate the vulnerability, stopped the attack, and reset the access token of users which secure the users’ accounts that were compromised.

Facebook further reported the incident to the FBI which investigated and instructed Facebook not to relate or disclose the cybercriminals behind the attack. The organization also created a service called “Help Center” that would allow users to check if they were affected by the breach or not.

Also, Facebook planned to send customized messages to people affected to make them know which of their information was exposed with steps they can take to avoid falling victim to phishing, vishing, and smishing, and the step the organization is taking to prevent future occurrences of this incidence.

Fortunately for the organization, the attack did not affect other products and services such as Instagram, WhatsApp, Messenger, payments, etc. Facebook further promised the public that they would continue to corporate with data privacy agencies and the FBI to prevent attackers’ activities on their website.

Impact on the Organization

As I mentioned earlier, 2018 was a tough year for Facebook, this data breach came at a time when the organization was trying her possible best to convince lawmakers in the United States and beyond, that she’s capable of securing user data. This attack continues to make lawmakers question the security of user data. It led to more future litigation for the organization.

It also cost the organization her reputation, users lost their trust in the firm, they experienced low account creation, low user interactions, and users’ activities that would have help boost advertising revenue.

Facebook share was already going down due to several issues faced before this data breach. A day after Facebook announced this attack, the organization shares went down more.

Conclusion

Organizations that deal with user data are always targeted by cybercriminals. Organizations should always follow security best practices with security at the core of their software development. They should fix all bugs, patch all systems and periodically test for vulnerability and mitigate accordingly; this was where Facebook falls short, they allowed vulnerability within their software for more than a year, and cyber criminals leverage on the vulnerability to launch an attack.

Users should also limit the amount of their information exposed on the internet, most especially on social network platforms and apps. Whenever there is a data breach like this, the number of users that will be exposed will be limited and almost be irrelevant for cybercriminals to use to their advantage.

User data can be sold over the dark web, it can be used to commit a crime, it can be used to get a loan on behalf of the user, and it can be used for many other bad things one can think of without consent of the rightful owner. Cybersecurity is a shared responsibility; organizations to secure user data in their custody limit users' amount of information shared online.

Information Sources

Facebook. (2018, October 12). An Update on the Security Issue. About Facebook. https://about.fb.com/news/2018/10/update-on-security-issue/

Lee, D. (2018, September 28). Facebook security breach: Up to 50m accounts attacked. BBC News. https://www.bbc.com/news/technology-45686890

Rodriguez, S. (2018, October 12). Facebook says hackers were able to access millions of phone numbers and email addresses. CNBC; CNBC. https://www.cnbc.com/2018/10/12/facebook-security-breach-details.html

Wikipedia Contributors. (2019, January 18). Facebook. Wikipedia; Wikimedia Foundation. https://en.wikipedia.org/wiki/Facebook