After Facebook's breach, attention turns toward motive and potential nation state perpetrators
The underlying data behind profiles — public or not — are ripe targets for malicious actors and those looking to spread misinformation.
Facebook is the latest in a long line of companies suffering the effects of a data breach. Disclosed Friday, much is still unknown, but the social media company will have to embark upon an apology tour to make amends to users and regulators.
Proven by Equifax, Home Depot, Time Warner and others, a breach acts as a blight on a company's reputation and is often felt in the stock market.
On Friday, following news of the breach, Facebook closed the day with its stock down 3%, according to market data.
This year has been rocky for Facebook, riddled with Congressional hearings on data use and abuse. Some advertisers — such as Mozilla and Sonos — pulled ads from the platform immediately following the Cambridge Analytica revelations, but long-term impacts were largely avoided, Marketing Dive reports.
The social network has remained above the fray and ad spend on the platform bounced back after the Cambridge Analytica fallout. But as of September, advertising ROI was still down.
While Facebook initially authorized Cambridge Analytica's data usage, the September breach was part of an attack, unauthorized, with motives obscured. The social network has intricate rules about how to engage with data on its platform, but the underlying data behind profiles — public or not — are ripe targets for malicious actors.
"The reality here is we face constant attacks from people who want to take over accounts or steal information," said Facebook CEO Mark Zuckerberg, speaking on a press call Friday.
Even Zuckerberg and Facebook COO Sheryl Sandberg were not insulated from the breach. The New York Times reports their profiles were among the 50 million impacted. Facebook reset an additional 40 million account "access tokens" as a precaution.
Zuckerberg praised the quick work to identify, fix and secure the "View As" vulnerability and impacted accounts. "But we need to do more to prevent this from happening in the first place," he said. As a result, "we're going to keep investing very heavily in security going forward."
But Facebook has already invested heavily in security this year. By the end of 2018, Facebook expected to double its security team, adding about 10,000 people dedicated to "security and community issues."
"For all of the issues that Facebook has, it has a world class information security team," said Ed McAndrew, co-leader of privacy and data security group at Ballard Spahr LLP and former federal cybercrime prosecutor. The vulnerability is complex, with multiple parts contributing. "They're probably up against a really sophisticated adversary that is probing and looking for ways to exploit their authentication and identity controls."
The (unknown) culprits
Facebook is digging into who is behind the attack, working with law enforcement to unearth more information. Motive goes a long way in detecting how and why a cyberattack occurred.
The social network has a vast amount of information on users all over the world, but the company says "it does not know who the attackers are or what their motives are and that's actually a pretty startling statement from Facebook," McAndrew said.
The question the security community, Facebook and law enforcement have to ask is: Who can use this kind of data?
This type of breach is more nefarious than financial fraud schemes. "This data is not valuable to someone that wants to steal money from you or a take out a new loan," said Avivah Litan, VP and distinguished analyst at Gartner, in an interview with CIO Dive. "It could be somewhat valuable, but it's overkill for them."
And besides, they already have that kind of data from the Equifax, T-Mobile or many other breaches, she said.
While advertisers do have a vested interest in understanding Facebook users and capitalizing on that data, it is more likely a "nation state that wants to understand the American population for political purposes," said Litan.
Social media information is increasingly weaponized, and during an election year, the U.S. is up against broad misinformation campaigns, as seen in the 2016 election. Nation states use personal profile information to influence thinking and mount campaigns to sow discontent.
Impersonating users can prove a powerful weapon, far beyond hacked credit card numbers or stolen social security numbers used for identity theft.
"It's really for attackers to, even without hijacking your actual Facebook account, just copy and paste everything that's publicly available and create a new account under the same name with the exact same photo," said Jessica Ortega, website security analyst at SiteLock, in an interview with CIO Dive.
By impersonating the user, people can spread spam or malware through a user's messenger profile or spread information, she said.
This information is "targeted to spread fake news, to influence political opinion, that's very obvious," Litan said. "That's what's happening all over the world now."
What's at fault
With Facebook's quick disclosure — identifying the attack on Tuesday and disclosing Friday — it is in line with breach disclosure laws, which should appease regulators.
"They're out early in terms of disclosure because look, this is what Facebook does," McAndrew said. "They make information travel around the globe in nanoseconds."
As part of that, Facebook can't reset passwords or change user settings at a broad scale without attracting attention. In this case, transparency is the best, and likely only, course of action.
The quick disclosure speaks to the effects of the 50 different U.S. and the District of Columbia breach disclosure requirements and the world's laws, namely the General Data Protection Regulation. GDPR mandates a 72-hour breach notification requirement, and since the regulation has gone into effect, companies are even more wary of cybersecurity incident response.
Still, regulators are concerned about Facebook's failure to identify the origins of the breach and the impacts on users, according to Ireland's Data Protection Commission, in an emailed statement to The Wall Street Journal.
If Facebook ends up in the crosshairs of GDPR, it could face a fine of up to $1.63 billion, according to the report.
Follow Naomi Eide on Twitter