Facebook’s 50m Accounts Hacked, Where’s the Data?

On September 28, 2018, Facebook announced that they experienced a data breach affecting over 50 million accounts. The breach was discovered on Tuesday, and three days later, Facebook notified the public. The breach happened due to a vulnerability that allowed users to view their profile as someone else would see it, likely to determine privacy settings and how strict they are with personal information. As such, the vulnerability allowed access to these accounts without actually breaching other security measures and is the cause of the breach to be as widespread as it is.

The vulnerability has since been patched, says Guy Rosen, Head of Security for Facebook. Coincidentally enough, while the breach has been found and closed, its damage has not been fully assessed. Guy Rosen said,

“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based.”

It’s a scary thought to think that with all the personal information available on Facebook that the impact and victims have not been easily identified and notified. As of the time of this publishing, the data breach victims have not had the ability to secure themselves from further data theft proliferation. Instead of Facebook notifying the victims, they were prompted to change their passwords to prevent further data loss and left without any knowledge of whether they need to close their bank accounts, freeze credit cards, or start monitoring their credit reports.

Why is this still an acceptable practice?

Why are companies secured and brands strengthened before individual data protection efforts are made?

This is the strength of IT asset management and how it relates with IT security. IT asset managers are inherently the identifiers and trackers of data within the organizational environment. They are responsible for monitoring data flow and identifying its location. Intrinsically, if a data breach occurs, Security should work with IT asset managers to help identify who was targeted and move quicker internally to notify the data breach victims. In doing so, the organization will position themselves as a leader in data security and customer protection which will strengthen their brand in a crisis instead of weaken it.

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.” –Guy Rosen

IT asset management has much to offer IT security and when working together, a strong, robust, and mature data security model can be created that facilitates rapid crisis response times and industry-leading data breach victim communications. Only by leveraging the IT asset management best practices proactively will an organization be able to sufficiently handle a data breach incident within their organization in a manner that protects both the organization as well as the victim.

[1] Security Update, Guy Rosen, 28 Sept. 2018, https://newsroom.fb.com/news/2018/09/security-update/
[2] Facebook Network is Breached, Mike Isaac & Sheera Frenkel, 28 Sept, 2018, https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html
[3] Zucked Up Facebook Hack – attackers got complete access to 50 Million accounts, Sean Keach, 28 Sept, 2018, https://www.thesun.co.uk/tech/7373518/facebook-hack-password-messages-safe-news/