igor - Fotolia
The Cambridge Analytica scandal that led to Facebook user data being mishandled by a third-party app and passed on to the political consultancy company, could involve up to 87 million users – including nearly 1.1 million Britons, Facebook has revealed.
The revelations are consistent with the views of Cambridge Analytica whistleblower Christopher Wylie, who told a UK parliamentary select committee hearing he believed the number of Facebook users affected was far greater than his initial conservative estimate of 50 million.
Most of the affected users are US citizens, making up 81.2% of the total, followed by the Philippines (1.35%), Indonesia (1.26%), UK (1.24%), Mexico (0.9%) and Canada (0.7%), Facebook revealed in a blog post.
Facebook CEO and founder Mark Zuckerberg told a teleconference with reporters the figure of 87 million was calculated using “the maximum possible number of friends lists that everyone could have had over the time” and that he was confident that no more than 87 million users were affected, according to ABC News.
He admitted Facebook had not done enough to protect its users and said that, with hindsight, he would have acted to prevent the Cambridge Analytica scandal.
“I think the reality of a lot of this is that when you are building something like Facebook, that is unprecedented in the world, there are going to be things you will mess up. I think what people should hold us accountable for is learning from our mistakes.”
However, Zuckerberg revealed that an internal audit had uncovered that malicious actors had been abusing a feature that let users search for one another by typing in email addresses or phone numbers into Facebook’s search box.
As a result, he said many people’s public profile information had been “scraped” and matched to the contact details, which had been obtained from elsewhere, but that Facebook has now blocked this facility.
“It is reasonable to expect that if you had that [default] setting turned on, that in the last several years someone has probably accessed your public information in this way,” said Zuckerberg.
Despite several steps announced by Facebook to improve user privacy, the social networking firm has pointed out that information in a user’s public profile is always available, and this includes personal data such as name, gender, username, profile picture, cover photo, age range, language and country.
Simon Migliano, head of research at Top10VPN.com, said the latest revelations by Facebook give an “alarming indication” of just how many accounts were likely impacted by the Cambridge Analytica breach.
“This episode serves to highlight how oblivious we actually are to the sharp practices of companies and individuals operating on the web. Disconcertingly, this high-profile breach is just the tip of the iceberg,” he said.
According to Migliano, the market of personal details is doing “roaring trade” on the dark web, with Facebook account logins changing hands for as little as £3.74. “This means the login details to 87 million accounts, for example, could fetch around £325m to a seller on dark web marketplaces such as Dream, Wall Street Market and Point.
“The data that can be mined from these accounts can buy criminals an effective backdoor to identity fraud – from the potential to get ahold of bank details from those purchasing apps through to intimate personal information.”
Reading data terms
Craig Young, computer security researcher at Tripwire, said the Facebook data exploitation scandal should be an eye opener to people on the importance of reading before clicking OK.
“Unfortunately, data privacy is a lot like oral hygiene, everyone knows they should pay attention to it but in practice people tend to neglect it.
“Many Facebook users are naturally upset about this situation but, in the end, the moral of the story is that people need to be more considerate about what data they are sharing and with whom,” he said.
Travis Smith, principle security researcher at Tripwire, said businesses and individuals should pay more attention to protecting privacy.
“I would follow these steps in order, based off of the level of privacy you wish to have,” he said.
- Limit what you share on Facebook. There is no need to create a check in location at your house, where people can see your exact location, what valuables you have inside the house, and when you are away on holiday.
- Make your profile private. I would recommend making anything you post on the social network be limited to the individuals you have accepted as friends.
- Limit what applications you give access to. When signing up for a new service, there’s often a handy “Join with Facebook” option many times. This can allow the creator of that website unfettered access to your profile. Similarly, clicking the various personality tests or similar apps gives the author a level of access that you may not even want your own family to have. The author of these games rarely, if ever, needs access to your profile. Be very wary about who you give access to, because once they have access once, the data can be taken and you cannot get it back.
- Monitor what applications have access to your profile currently. Even though the applications already could have harvested everything from your profile, it’s wise to go through and make sure to keep the list clean.
- Don’t stop at Facebook. Every other service on the Internet has similar collection mechanisms about your private data. What you search for on Google, what YouTube videos you watch, what you search for and buy from Amazon; all of this is stored and can be used to profile you. Don’t assume that anything you do on the Internet is private, because it isn’t.
A recent survey of 350 IT decision makers shows that the scandal has highlighted issues around data privacy, sharing and security, and will affect business policies on how employees use the corporate network.
Of those IT decision-makers who allow access to Facebook through the corporate network, almost half (46%) said they were planning to educate staff on how to protect themselves and their data, 8% said they were taking more drastic steps and blacklisting the social network altogether, and 7% said they would implement stricter controls on who had access to Facebook.