facebook data breach 2019 case study

To revisit this article, visit My Profile, then View saved stories .

• Backchannel
• Newsletters
• WIRED Insider
• WIRED Consulting

Lily Hay Newman

What Really Caused Facebook's 500M-User Data Leak?

Since Saturday, a massive trove of Facebook data has circulated publicly , splashing information from roughly 533 million Facebook users across the internet. The data includes things like profile names, Facebook ID numbers, email addresses, and phone numbers. It's all the kind of information that may already have been leaked or scraped from some other source, but it's yet another resource that links all that data together—and ties it to each victim—presenting tidy profiles to scammers, phishers, and spammers on a silver platter. 

Facebook's initial response was simply that the data was previously reported on in 2019 and that the company patched the underlying vulnerability in August of that year. Old news. But a closer look at where, exactly, this data comes from produces a much murkier picture. In fact, the data, which first appeared on the criminal dark web in 2019, came from a breach that Facebook did not disclose in any significant detail at the time and only fully acknowledged Tuesday evening in a blog post attributed to product management director Mike Clark.

One source of the confusion was that Facebook has had any number of breaches and exposures from which this data could have originated. Was it the 540 million records—including Facebook IDs, comments, likes, and reaction data—exposed by a third party and disclosed by the security firm UpGuard in April 2019? Or was it the 419 million Facebook user records, including hundreds of millions of phone numbers, names, and Facebook IDs, scraped from the social network by bad actors before a 2018 Facebook policy change, that were exposed publicly and reported by TechCrunch in September 2019? Did it have something to do with the Cambridge Analytica third-party data sharing scandal of 2018? Or was this somehow related to the massive 2018 Facebook data breach that compromised access tokens and virtually all personal data from about 30 million users?

In fact, the answer appears to be none of the above. As Facebook eventually explained in background comments to WIRED and in its Tuesday blog, the recently public trove of 533 million records is an entirely different data set that attackers created by abusing a flaw in a Facebook address book contacts import feature. Facebook says it patched the vulnerability in August 2019, but it's unclear how many times the bug was exploited before then. The information from more than 500 million Facebook users in more than 106 countries contains Facebook IDs, phone numbers, and other information about early Facebook users like Mark Zuckerburg and US secretary of Transportation Pete Buttigieg, as well as the European Union commissioner for data protection, Didier Reynders. Other victims include 61 people who list the "Federal Trade Commission" and 651 people who list "Attorney General" in their details on Facebook.

You can check whether your phone number or email address were exposed in the leak by checking the breach tracking site HaveIBeenPwned . For the service, founder Troy Hunt reconciled and ingested two different versions of the data set that have been floating around.

“When there’s a vacuum of information from the organization that’s implicated, everyone speculates, and there's confusion,” Hunt says.

The closest Facebook came to acknowledging the source of this breach previously was a comment in a fall 2019 news article. That September, Forbes reported on a related vulnerability in Instagram's mechanism to import contacts. The Instagram bug exposed users’ names, phone numbers, Instagram handles, and account ID numbers. At the time, Facebook told the researcher who disclosed the flaw that the Facebook security team was “already aware of the issue due to an internal finding.” A spokesperson told Forbes at the time, “We have changed the contact importer on Instagram to help prevent potential abuse. We are grateful to the researcher who raised this issue." Forbes noted in the September 2019 story that there was no evidence the vulnerability had been exploited, but also no evidence that it had not been.

In its blog post today, Facebook links to a September 2019 article from CNET as evidence that the company publicly acknowledged the 2019 data exposure. But the CNET story refers to findings from a researcher who also contacted WIRED in May 2019 about a trove of Facebook data, including names and phone numbers. The leak the researcher had learned about was the same one TechCrunch reported on in September 2019. And according to the September 2019 CNET story, it is the same one CNET was describing. Facebook told TechCrunch at the time, “This data set is old and appears to have information obtained before we made changes last year [2018] to remove people’s ability to find others using their phone numbers.” Those changes were aimed at reducing the risk that Facebook's search and account-recovery tools could be exploited for mass scraping.

By Tess Owen

By Reece Rogers

By Will Knight

By Kim Zetter

Data sets circulating in criminal forums are often mashed together, adapted, recombined, and sold off in different chunks, which can account for variations in their exact size and scope. But based on Facebook's comment in 2019 that the data TechCrunch reported on was from mid-2018 or earlier, it seems not to be the currently circulating data set. The two troves also have different attributes and numbers of users impacted in each region. Facebook declined to comment for the September 2019 CNET story.

If all of this feels exhausting to sort through, it's because Facebook went days without giving a substantive answer and has left open some degree of confusion.

“At what point did Facebook say, ‘We had a bug in our system, and we added a fix, and therefore users might be affected’?" says former Federal Trade Commission chief technologist Ashkan Soltani. “I don't remember ever seeing Facebook say that. And they’re kind of stuck now, because they apparently didn’t do any disclosure or notification."

Before its blog acknowledging the breach, Facebook pointed to the Forbes story as evidence that it publicly acknowledged the 2019 Facebook contact importer breach. But the Forbes story is about a similar yet seemingly unrelated finding in Instagram versus main Facebook, which is where the 533-million-user leak comes from. And Facebook admits that it did not notify users that their data had been compromised individually or through an official company security bulletin. 

The Irish Data Protection Commission said in a statement on Tuesday that it “received no proactive communication from Facebook" regarding the breach.

“Previous data sets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website, which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone look-up functionality," according to the timeline the commission put together. "Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR. The newly published data set seems to comprise the original 2018 (pre GDPR) data set and combined with additional records, which may be from a later period.” 

By Lily Hay Newman

Facebook says it did not notify users about the 2019 contact importer exploitation precisely because there are so many troves of semipublic user data—taken from Facebook itself and other companies—out in the world. Additionally, attackers needed to supply phone numbers and manipulate the feature to spit out the corresponding name and other data associated with it for the exploit to work, which Facebook argues means that it did not expose the phone numbers itself. “It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” Clark wrote Tuesday. The company aims to draw a distinction between exploiting a weakness in a legitimate feature for mass scraping and finding a flaw in its systems to grab data from its backend. Still, the former is a vulnerability exploitation.

But for those affected, this is a distinction without a difference. Attackers could simply run through every possible international phone number and collect data on hits. The Facebook bug provided bad actors with the missing connection between phone numbers and public information like names.

Phone numbers used to be public in phone books and often still are, but as they've evolved to be ubiquitous identifiers , linking you to different parts of your digital life, they've taken on new significance and potential value to attackers. They even play a role in sensitive authentication, by being the path through which you might receive two-factor authentication codes over SMS or a phone call in which you provide information to confirm your identity. The idea that phone numbers are now critical to your digital security is not at all new . 

“It's a fallacy to think that a breach isn't serious just because it doesn't have passwords in it or other maximally sensitive data,” says Zack Allen, director of threat intelligence at the security firm ZeroFox. “It's also a fallacy to say that a situation isn't that bad just because it's old data. And furthermore, phone numbers scare the crap out of me as a form of authentication, which unfortunately is how they're often used these days.”

For its part, Facebook has repeatedly mishandled user phone numbers. They used to be easily collectible on a large scale through the company's Graph Search API tool. At the time, the company didn't view that as a security vulnerability, because Graph Search surfaced only phone numbers and other data that users set to be public on their profiles. Over the years, though, Facebook started to recognize that it was a problem to make such data so easy to scrape, even if individual users chose to make their data public. In aggregate, the information could still enable scamming and phishing on a scale that individuals presumably did not intend.

In 2018, Facebook acknowledged that it targeted ads based on users' two-factor authentication phone number. That same year, the company also disabled a feature that allowed users to search for other people on Facebook using their phone number or email address—a mechanism that was again being abused by scrapers. According to Facebook, this is the tool cybercriminals used to collect the data TechCrunch reported on in 2019.

Yet somehow, in spite of these and other gestures toward locking user phone numbers down, Facebook still did not fully disclose the 2019 data breach. The contact import feature is somewhat beleaguered, and the company also fixed vulnerabilities in it in 2013 and 2017 .

Meanwhile, Facebook reached a landmark settlement with the FTC in July 2019 over what can only be described as a massive number of deeply concerning data privacy failures. In exchange for paying a $5 billion fine and agreeing to certain terms, like discontinuing its aforementioned alternate uses of security-authentication related phone numbers, Facebook was indemnified for all activity before June 12, 2019.

Whether any of the contact import exploitation occurred after that date—and therefore should have been reported to the FTC—remains an open question. The one thing that's certain in all this is that more than 500 million Facebook users are less safe online than they otherwise would be—and potentially vulnerable to a new wave of scams and phishing that Facebook could have alerted them to nearly two years ago.

• 📩 The latest on tech, science, and more: Get our newsletters !
• A genetic curse, a scared mom, and the quest to “fix” embryos
• Larry Brilliant has a plan to speed up the pandemic’s end
• Facebook's “Red Team X” hunts bugs beyond its walls
• How to choose the right laptop: A step-by-step guide
• Why retro-looking games get so much love
• 👁️ Explore AI like never before with our new database
• 🎮 WIRED Games: Get the latest tips, reviews, and more
• 🎧 Things not sounding right? Check out our favorite wireless headphones , soundbars , and Bluetooth speakers

Dell Cameron

Kate O'Flaherty

Matt Burgess

Jordan Pearson

Facebook data breach: what happened and why it’s hard to know if your data was leaked

Associate Dean (Computing and Security), Edith Cowan University

Disclosure statement

Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.

Edith Cowan University provides funding as a member of The Conversation AU.

View all partners

Over the long weekend reports emerged of an alleged data breach, impacting half a billion Facebook users from 106 countries.

And while this figure is staggering, there’s more to the story than 533 million sets of data. This breach once again highlights how many of the systems we use aren’t designed to adequately protect our information from cyber criminals.

Nor is it always straightforward to figure out whether your data have been compromised in a breach or not.

What happened?

More than 500 million Facebook users’ details were published online on an underground website used by cyber criminals.

It quickly became clear this was not a new data breach, but an older one which had come back to haunt Facebook and the millions of users whose data are now available to purchase online.

The data breach is believed to relate to a vulnerability which Facebook reportedly fixed in August of 2019 . While the exact source of the data can’t be verified, it was likely acquired through the misuse of legitimate functions in the Facebook systems .

Such misuses can occur when a seemingly innocent feature of a website is used for an unexpected purpose by attackers, as was the case with a PayID attack in 2019.

Read more: PayID data breaches show Australia's banks need to be more vigilant to hacking

In the case of Facebook, criminals can mine Facebook’s systems for users’ personal information by using techniques which automate the process of harvesting data.

This may sound familiar. In 2018 Facebook was reeling from the Cambridge Analytica scandal . This too was not a hacking incident , but a misuse of a perfectly legitimate function of the Facebook platform.

While the data were initially obtained legitimately — as least, as far as Facebook’s rules were concerned — it was then passed on to a third party without the appropriate consent from users.

Read more: We need to talk about the data we give freely of ourselves online and why it's useful

Were you targeted?

There’s no easy way to determine if your details were breached in the recent leak. If the website concerned is acting in your best interest, you should at least receive a notification. But this isn’t guaranteed .

Even a tech-savvy user would be limited to hunting for the leaked data themselves on underground websites.

The data being sold online contain plenty of key information. According to haveibeenpwned.com, most of the records include names and genders, with many also including dates of birth, location, relationship status and employer.

Although, it has been reported only a small proportion of the stolen data contained a valid email address (about 2.5 million records).

This is important since a user’s data are less valuable without the corresponding email address. It’s the combination of date of birth, name, phone number and email which provides a useful starting point for identity theft and exploitation .

If you’re not sure why these details would be valuable to a criminal, think about how you confirm your identity over the phone with your bank, or how you last reset a password on a website.

Haveibeenpwned.com creator and web security expert Troy Hunt has said a secondary use for the data could be to enhance phishing and SMS-based spam attacks.

How to protect yourself

Given the nature of the leak, there is very little Facebook users could have done proactively to protect themselves from this breach. As the attack targeted Facebook’s systems, the responsibility for securing the data lies entirely with Facebook.

On an individual level, while you can opt to withdraw from the platform, for many this isn’t a simple option. That said, there are certain changes you can make to your social media behaviours to help reduce your risk from data breaches.

1) Ask yourself if you need to share all your information with Facebook

There are some bits of information we inevitably have to forfeit in exchange for using Facebook, including mobile numbers for new accounts (as a security measure, ironically). But there are plenty of details you can withhold to retain a modicum of control over your data.

2) Think about what you share

Apart from the leak being reported, there are plenty of other ways to harvest user data from Facebook. If you use a fake birth date on your account, you should also avoid posting birthday party photos on the real day. Even our seemingly innocent photos can reveal sensitive information.

3) Avoid using Facebook to sign in to other websites

Although the “sign-in with Facebook” feature is potentially time-saving (and reduces the number of accounts you have to maintain), it also increases potential risk to you — especially if the site you’re signing into isn’t a trusted one. If your Facebook account is compromised, the attacker will have automatic access to all the linked websites.

4) Use unique passwords

Always use a different password for each online account, even if it is a pain. Installing a password manager will help with this (and this is how I have more than 400 different passwords). While it won’t stop your data from ever being stolen, if your password for a site is leaked it will only work for that one site.

If you really want a scare, you can always download a copy of all the data Facebook has on you . This is useful if you’re considering leaving the platform and want a copy of your data before closing your account.

Read more: New evidence shows half of Australians have ditched social media at some point, but millennials lag behind

• Social media
• Online security
• Cybersecurity
• Data breaches
• Online data
• cyber criminals

Data Manager

Research Support Officer

Director, Social Policy

Head, School of Psychology

Senior Research Fellow - Women's Health Services

• Skip to main content
• Keyboard shortcuts for audio player

After Data Breach Exposes 530 Million, Facebook Says It Will Not Notify Users

Emma Bowman

The leaked data includes personal information from 533 million Facebook users in106 countries. Olivier Douliery/AFP via Getty Images hide caption

The leaked data includes personal information from 533 million Facebook users in106 countries.

Facebook decided not to notify over 530 million of its users whose personal data was lifted in a breach sometime before August 2019 and was recently made available in a public database. Facebook also has no plans to do so, a spokesperson said.

Phone numbers, full names, locations, some email addresses, and other details from user profiles were posted to an amateur hacking forum on Saturday, Business Insider reported last week.

The leaked data includes personal information from 533 million Facebook users in 106 countries.

In response to the reporting, Facebook said in a blog post on Tuesday that "malicious actors" had scraped the data by exploiting a vulnerability in a now-defunct feature on the platform that allowed users to find each other by phone number.

National Security

After a major hack, u.s. looks to fix a cyber 'blind spot'.

The social media company said it found and fixed the issue in August 2019 and its confident the same route can no longer be used to scrape that data.

"We don't currently have plans to notify users individually," a Facebook spokesman told NPR.

According to the spokesman, the company does not have complete confidence in knowing which users would need to be notified. He also said that in deciding whether to notify users, Facebook weighed the fact that the information was publicly available and that it was not an issue that users could fix themselves.

The information did not include financial information, health information or passwords, Facebook said, but the data leak still leaves users vulnerable, security experts say.

"Scammers can do an enormous amount with little information from us," says CyberScout founder Adam Levin, a cybersecurity expert and consumer protection advocate. In the case of this breach, he said, "It's serious when phone numbers are out there. The danger when you have phone numbers in particular is a universal identifier."

Phone numbers are increasingly used to connect people to their digital presence, including the use of two-factor authentication via text message and phone calls to verify one's identity.

FTC To Hold Facebook CEO Mark Zuckerberg Liable For Any Future Privacy Violations

The misuse of its user data is a familiar battle for Facebook, and its handling of user privacy has endured scrutiny.

In July 2019, months before patching up the aforementioned issue, Facebook reached a $5 billion settlement with the U.S. Federal Trade Commission for violating an agreement with the agency to protect user privacy.

To find out whether your personal information was leaked in the breach, you can check the data tracking tool, HaveIBeenPwnd . Its creator, Troy Hunt, updated the site with the latest data from the Facebook leak. Hunt said that 65% of the latest batch of data had already been added to the tracker from previous leaks.

Editor's note: Facebook is among NPR's financial supporters.

TechRepublic

Account information.

Share with Your Friends

Facebook data privacy scandal: A cheat sheet

Your email has been sent

A decade of apparent indifference for data privacy at Facebook has culminated in revelations that organizations harvested user data for targeted advertising, particularly political advertising, to apparent success. While the most well-known offender is Cambridge Analytica–the political consulting and strategic communication firm behind the pro-Brexit Leave EU campaign, as well as Donald Trump’s 2016 presidential campaign–other companies have likely used similar tactics to collect personal data of Facebook users.

TechRepublic’s cheat sheet about the Facebook data privacy scandal covers the ongoing controversy surrounding the illicit use of profile information. This article will be updated as more information about this developing story comes to the forefront. It is also available as a download, Cheat sheet: Facebook Data Privacy Scandal (free PDF) .

SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

What is the Facebook data privacy scandal?

The Facebook data privacy scandal centers around the collection of personally identifiable information of “ up to 87 million people ” by the political consulting and strategic communication firm Cambridge Analytica. That company–and others–were able to gain access to personal data of Facebook users due to the confluence of a variety of factors, broadly including inadequate safeguards against companies engaging in data harvesting, little to no oversight of developers by Facebook, developer abuse of the Facebook API, and users agreeing to overly broad terms and conditions.

SEE: Information security policy (TechRepublic Premium)

In the case of Cambridge Analytica, the company was able to harvest personally identifiable information through a personality quiz app called thisisyourdigitiallife, based on the OCEAN personality model. Information gathered via this app is useful in building a “psychographic” profile of users (the OCEAN acronym stands for openness, conscientiousness, extraversion, agreeableness, and neuroticism). Adding the app to your Facebook account to take the quiz gives the creator of the app access to profile information and user history for the user taking the quiz, as well as all of the friends that user has on Facebook. This data includes all of the items that users and their friends have liked on Facebook.

Researchers associated with Cambridge University claimed in a paper that it “can be used to automatically and accurately predict a range of highly sensitive personal attributes including: sexual orientation, ethnicity, religious and political views, personality traits, intelligence, happiness, use of addictive substances, parental separation, age, and gender,” with a model developed by the researchers that uses a combination of dimensionality reduction and logistic/linear regression to infer this information about users.

The model–according to the researchers–is effective due to the relationship of likes to a given attribute. However, most likes are not explicitly indicative of their attributes. The researchers note that “less than 5% of users labeled as gay were connected with explicitly gay groups,” but that liking “Juicy Couture” and “Adam Lambert” are likes indicative of gay men, while “WWE” and “Being Confused After Waking Up From Naps” are likes indicative of straight men. Other such connections are peculiarly lateral, with “curly fries” being an indicator of high IQ, “sour candy” being an indicator of not smoking, and “Gene Wilder” being an indicator that the user’s parents had not separated by age 21.

SEE: Can Russian hackers be stopped? Here’s why it might take 20 years (TechRepublic cover story) | download the PDF version

Additional resources

• How a Facebook app scraped millions of people’s personal data (CBS News)
• Facebook reportedly thinks there’s no ‘expectation of privacy’ on social media (CNET)
• Cambridge Analytica: ‘We know what you want before you want it’ (TechRepublic)
• Average US citizen had personal information stolen at least 4 times in 2019 (TechRepublic)
• Facebook: We’ll pay you to track down apps that misuse your data (ZDNet)
• Most consumers do not trust big tech with their privacy (TechRepublic)
• Facebook asks permission to use personal data in Brazil (ZDNet)

What is the timeline of the Facebook data privacy scandal?

Facebook has more than a decade-long track record of incidents highlighting inadequate and insufficient measures to protect data privacy. While the severity of these individual cases varies, the sequence of repeated failures paints a larger picture of systemic problems.

SEE: All TechRepublic cheat sheets and smart person’s guides

In 2005, researchers at MIT created a script that downloaded publicly posted information of more than 70,000 users from four schools. (Facebook only began to allow search engines to crawl profiles in September 2007.)

In 2007, activities that users engaged in on other websites was automatically added to Facebook user profiles as part of Beacon, one of Facebook’s first attempts to monetize user profiles. As an example, Beacon indicated on the Facebook News Feed the titles of videos that users rented from Blockbuster Video, which was a violation of the Video Privacy Protection Act . A class action suit was filed, for which Facebook paid $9.5 million to a fund for privacy and security as part of a settlement agreement.

SEE: The Brexit dilemma: Will London’s start-ups stay or go? (TechRepublic cover story)

In 2011, following an FTC investigation, the company entered into a consent decree, promising to address concerns about how user data was tracked and shared. That investigation was prompted by an incident in December 2009 in which information thought private by users was being shared publicly, according to contemporaneous reporting by The New York Times .

In 2013, Facebook disclosed details of a bug that exposed the personal details of six million accounts over approximately a year . When users downloaded their own Facebook history, that user would obtain in the same action not just their own address book, but also the email addresses and phone numbers of their friends that other people had stored in their address books. The data that Facebook exposed had not been given to Facebook by users to begin with–it had been vacuumed from the contact lists of other Facebook users who happen to know that person. This phenomenon has since been described as “shadow profiles.”

The Cambridge Analytica portion of the data privacy scandal starts in February 2014. A spate of reviews on the Turkopticon website–a third-party review website for users of Amazon’s Mechanical Turk–detail a task requested by Aleksandr Kogan asking users to complete a survey in exchange for money. The survey required users to add the thisisyourdigitiallife app to their Facebook account, which is in violation of Mechanical Turk’s terms of service . One review quotes the request as requiring users to “provide our app access to your Facebook so we can download some of your data–some demographic data, your likes, your friends list, whether your friends know one another, and some of your private messages.”

In December 2015, Facebook learned for the first time that the data set Kogan generated with the app was shared with Cambridge Analytica. Facebook founder and CEO Mark Zuckerberg claims “we immediately banned Kogan’s app from our platform, and demanded that Kogan and Cambridge Analytica formally certify that they had deleted all improperly acquired data. They provided these certifications.”

According to Cambridge Analytica, the company took legal action in August 2016 against GSR (Kogan) for licensing “illegally acquired data” to the company, with a settlement reached that November.

On March 17, 2018, an exposé was published by The Guardian and The New York Times , initially reporting that 50 million Facebook profiles were harvested by Cambridge Analytica; the figure was later revised to “up to 87 million” profiles. The exposé relies on information provided by Christopher Wylie, a former employee of SCL Elections and Global Science Research, the creator of the thisisyourdigitiallife app. Wylie claimed that the data from that app was sold to Cambridge Analytica, which used the data to develop “psychographic” profiles of users, and target users with pro-Trump advertising, a claim that Cambridge Analytica denied.

On March 16, 2018, Facebook threatened to sue The Guardian over publication of the story, according to a tweet by Guardian reporter Carole Cadwalladr . Campbell Brown, a former CNN journalist who now works as head of news partnerships at Facebook, said it was “not our wisest move,” adding “If it were me I would have probably not threatened to sue The Guardian.” Similarly, Cambridge Analytica threatened to sue The Guardian for defamation .

On March 20, 2018, the FTC opened an investigation to determine if Facebook had violated the terms of the settlement from the 2011 investigation.

In April 2018, reports indicated that Facebook granted Zuckerberg and other high ranking executives powers over controlling personal information on a platform that is not available to normal users. Messages from Zuckerberg sent to other users were remotely deleted from users’ inboxes, which the company claimed was part of a corporate security measure following the 2014 Sony Pictures hack . Facebook subsequently announced plans to make available the “unsend” capability “to all users in several months,” and that Zuckerberg will be unable to unsend messages until such time that feature rolls out. Facebook added the feature 10 months later , on February 6, 2019. The public feature permits users to delete messages up to 10 minutes after the messages were sent. In the controversy prompting this feature to be added, Zuckerberg deleted messages months after they were sent.

On April 4, 2018, The Washington Post reported that Facebook announced “malicious actors” abused the search function to gather public profile information of “most of its 2 billion users worldwide.”

In a CBS News/YouGov poll published on April 10, 2018, 61% of Americans said Congress should do more to regulate social media and tech companies. This sentiment was echoed in a CBS News interview with Box CEO Aaron Levie and YML CEO Ashish Toshniwal who called on Congress to regulate Facebook. According to Levie, “There are so many examples where we don’t have modern ways of either regulating, controlling, or putting the right protections in place in the internet age. And this is a fundamental issue that, that we’re gonna have to grapple with as an industry for the next decade.”

On April 18, 2018, Facebook updated its privacy policy .

On May 2, 2018, SCL Group, which owns Cambridge Analytica, was dissolved. In a press release , the company indicated that “the siege of media coverage has driven away virtually all of the Company’s customers and suppliers.”

On May 15, 2018, The New York Times reported that Cambridge Analytica is being investigated by the FBI and the Justice Department. A source indicated to CBS News that prosecutors are focusing on potential financial crimes.

On May 16, 2018, Christopher Wylie testified before the Senate Judiciary Committee . Among other things, Wylie noted that Cambridge Analytica, under the direction of Steve Bannon, sought to “exploit certain vulnerabilities in certain segments to send them information that will remove them from the public forum, and feed them conspiracies and they’ll never see mainstream media.” Wylie also noted that the company targeted people with “characteristics that would lead them to vote for the Democratic party, particularly African American voters.”

On June 3, 2018, a report in The New York Times indicated that Facebook had maintained data-sharing partnerships with mobile device manufacturers, specifically naming Apple, Amazon, BlackBerry, Microsoft, and Samsung. Under the terms of this personal information sharing, device manufacturers were able to gather information about users in order to deliver “the Facebook experience,” the Times quotes a Facebook official as saying. Additionally, the report indicates that this access allowed device manufacturers to obtain data about a user’s Facebook friends, even if those friends had configured their privacy settings to deny information sharing with third parties.

The same day, Facebook issued a rebuttal to the Times report indicating that the partnerships were conceived because “the demand for Facebook outpaced our ability to build versions of the product that worked on every phone or operating system,” at a time when the smartphone market included BlackBerry’s BB10 and Windows Phone operating systems, among others. Facebook claimed that “contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies.” The distinction being made is partially semantic, as Facebook does not consider these partnerships a third party in this case. Facebook noted that changes to the platform made in April began “winding down” access to these APIs, and that 22 of the partnerships had already been ended.

On June 5, 2018, the The Washington Post and The New York Times reported that the Chinese device manufacturers Huawei, Lenovo, Oppo, and TCL were granted access to user data under this program. Huawei, along with ZTE, are facing scrutiny from the US government on unsubstantiated accusations that products from these companies pose a national security risk .

On July 2, 2018, The Washington Post reported that the US Securities and Exchange Commission, Federal Trade Commission, and Federal Bureau of Investigation have joined the Department of Justice inquiry into the Facebook/Cambridge Analytica data scandal. In a statement to CNET , Facebook indicated that “We’ve provided public testimony, answered questions, and pledged to continue our assistance as their work continues.” On July 11th, the Wall Street Journal reported that the SEC is separately investigating if Facebook adequately warned investors in a timely manner about the possible misuse and improper collection of user data. The same day, the UK assessed a £500,000 fine to Facebook , the maximum permitted by law, over its role in the data scandal. The UK’s Information Commissioner’s Office is also preparing to launch a criminal probe into SCL Elections over their involvement in the scandal.

On July 3, 2018, Facebook acknowledged a “bug” unblocked people that users has blocked between May 29 and June 5.

On July 12, 2018, a CNBC report indicated that a privacy loophole was discovered and closed. A Chrome plug-in intended for marketing research called Grouply.io allowed users to access the list of members for private Facebook groups. Congress sent a letter to Zuckerberg on February 19, 2019 demanding answers about the data leak, stating in part that “labeling these groups as closed or anonymous potentially misled Facebook users into joining these groups and revealing more personal information than they otherwise would have,” and “Facebook may have failed to properly notify group members that their personal health information may have been accessed by health insurance companies and online bullies, among others.”

Fallout from a confluence of factors in the Facebook data privacy scandal has come to bear in the last week of July 2018. On July 25th, Facebook announced that daily active user counts have fallen in Europe, and growth has stagnated in the US and Canada. The following day, Facebook suffered the worst single-day market value decrease for a public company in the US, dropping $120 billion , or 19%. On the July 28th, Reuters reported that shareholders are suing Facebook, Zuckerberg, and CFO David Wehner for “making misleading statements about or failing to disclose slowing revenue growth, falling operating margins, and declines in active users.”

On August 22, 2018, Facebook removed Facebook-owned security app Onavo from the App Store , for violating privacy rules. Data collected through the Onavo app is shared with Facebook.

In testimony before the Senate, on September 5, 2018, COO Sheryl Sandberg conceded that the company “[was] too slow to spot this and too slow to act” on privacy protections. Sandberg, and Twitter CEO Jack Dorsey faced questions focusing on user privacy, election interference, and political censorship. Senator Mark Warner of Virginia even said that, “The era of the wild west in social media is coming to an end,” which seems to indicate coming legislation.

On September 6, 2018, a spokesperson indicated that Joseph Chancellor was no longer employed by Facebook . Chancellor was a co-director of Global Science Research, the firm which improperly provided user data to Cambridge Analytica. An internal investigation was launched in March in part to determine his involvement. No statement was released indicating the result of that investigation.

On September 7, 2018, Zuckerberg stated in a post that fixing issues such as “defending against election interference by nation states, protecting our community from abuse and harm, or making sure people have control of their information and are comfortable with how it’s used,” is a process which “will extend through 2019.”

On September 26, 2018, WhatsApp co-founder Brian Acton stated in an interview with Forbes that “I sold my users’ privacy” as a result of the messaging app being sold to Facebook in 2014 for $22 billion.

On September 28, 2018, Facebook disclosed details of a security breach which affected 50 million users . The vulnerability originated from the “view as” feature which can be used to let users see what their profiles look like to other people. Attackers devised a way to export “access tokens,” which could be used to gain control of other users’ accounts .

A CNET report published on October 5, 2018, details the existence of an “ Internet Bill of Rights ” drafted by Rep. Ro Khanna (D-CA). The bill is likely to be introduced in the event the Democrats regain control of the House of Representatives in the 2018 elections. In a statement, Khanna noted that “As our lives and the economy are more tied to the internet, it is essential to provide Americans with basic protections online.”

On October 11, 2018, Facebook deleted over 800 pages and accounts in advance of the 2018 elections for violating rules against spam and “inauthentic behavior.” The same day, it disabled accounts for a Russian firm called “Social Data Hub,” which claimed to sell scraped user data. A Reuters report indicates that Facebook will ban false information about voting in the midterm elections.

On October 16, 2018, rules requiring public disclosure of who pays for political advertising on Facebook, as well as identity verification of users paying for political advertising, were extended to the UK . The rules were first rolled out in the US in May.

On October 25, 2018, Facebook was fined £500,000 by the UK’s Information Commissioner’s Office for their role in the Cambridge Analytica scandal. The fine is the maximum amount permitted by the Data Protection Act 1998. The ICO indicated that the fine was final. A Facebook spokesperson told ZDNet that the company “respectfully disagreed,” and has filed for appeal .

The same day, Vice published a report indicating that Facebook’s advertiser disclosure policy was trivial to abuse. Reporters from Vice submitted advertisements for approval attributed to Mike Pence, DNC Chairman Tom Perez, and Islamic State, which were approved by Facebook. Further, the contents of the advertisements were copied from Russian advertisements. A spokesperson for Facebook confirmed to Vice that the copied content does not violate rules, though the false attribution does. According to Vice, the only denied submission was attributed to Hillary Clinton.

On October 30, 2018, Vice published a second report in which it claimed that it successfully applied to purchase advertisements attributed to all 100 sitting US Senators, indicating that Facebook had yet to fix the problem reported in the previous week. According to Vice, the only denied submission in this test was attributed to Mark Zuckerberg.

On November 14, 2018, the New York Times published an exposé on the Facebook data privacy scandal, citing interviews of more than 50 people, including current and former Facebook executives and employees. In the exposé, the Times reports:

• In the Spring of 2016, a security expert employed by Facebook informed Chief Security Officer Alex Stamos of Russian hackers “probing Facebook accounts for people connected to the presidential campaigns,” which Stamos, in turn, informed general counsel Colin Stretch.
• A group called “Project P” was assembled by Zuckerberg and Sandberg to study false news on Facebook. By January 2017, this group “pressed to issue a public paper” about their findings, but was stopped by board members and Facebook vice president of global public policy Joel Kaplan, who had formerly worked in former US President George W. Bush’s administration.
• In Spring and Summer of 2017, Facebook was “publicly claiming there had been no Russian effort of any significance on Facebook,” despite an ongoing investigation into the extent of Russian involvement in the election.
• Sandberg “and deputies” insisted that the post drafted by Stamos to publicly acknowledge Russian involvement for the first time be made “less specific” before publication.
• In October 2017, Facebook expanded their engagement with Republican-linked firm Definers Public Affairs to discredit “activist protesters.” That firm worked to link people critical of Facebook to liberal philanthropist George Soros , and “[lobbied] a Jewish civil rights group to cast some criticism of the company as anti-Semitic.”
• Following comments critical of Facebook by Apple CEO Tim Cook , a spate of articles critical of Apple and Google began appearing on NTK Network, an organization which shares an office and staff with Definers. Other articles appeared on the website downplaying the Russians’ use of Facebook.

On November 15, 2018, Facebook announced it had terminated its relationship with Definers Public Affairs, though it disputed that either Zuckerberg or Sandberg was aware of the “specific work being done.” Further, a Facebook spokesperson indicated “It is wrong to suggest that we have ever asked Definers to pay for or write articles on Facebook’s behalf, or communicate anything untrue.”

On November 22, 2018, Sandberg acknowledged that work produced by Definers “was incorporated into materials presented to me and I received a small number of emails where Definers was referenced.”

On November 25, 2018, the founder of Six4Three, on a business trip to London, was compelled by Parliament to hand over documents relating to Facebook . Six4Three obtained these documents during the discovery process relating to an app developed by the startup that used image recognition to identify photos of women in bikinis shared on Facebook users’ friends’ pages. Reports indicate that Parliament sent an official to the founder’s hotel with a warning that noncompliance would result in possible fines or imprisonment. Despite the warning, the founder of the startup remained noncompliant, prompting him to be escorted to Parliament, where he turned over the documents.

A report in the New York Times published on November 29, 2018, indicates that Sheryl Sandberg personally asked Facebook communications staff in January to “research George Soros’s financial interests in the wake of his high-profile attacks on tech companies.”

On December 5, 2018, documents obtained in the probe of Six4Three were released by Parliament . Damian Collins, the MP who issued the order compelling the handover of the documents in November, highlighted six key points from the documents:

• Facebook entered into whitelisting agreements with Lyft, Airbnb, Bumble, and Netflix, among others, allowing those groups full access to friends data after Graph API v1 was discontinued. Collins indicates “It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted or not.”
• According to Collins, “increasing revenues from major app developers was one of the key drivers behind the Platform 3.0 changes at Facebook. The idea of linking access to friends data to the financial value of the developers’ relationship with Facebook is a recurring feature of the documents.”
• Data reciprocity between Facebook and app developers was a central focus for the release of Platform v3, with Zuckerberg discussing charging developers for access to API access for friend lists.
• Internal discussions of changes to the Facebook Android app acknowledge that requesting permissions to collect calls and texts sent by the user would be controversial, with one project manager stating it was “a pretty high-risk thing to do from a PR perspective.”
• Facebook used data collected through Onavo, a VPN service the company acquired in 2013, to survey the use of mobile apps on smartphones. According to Collins, this occurred “apparently without [users’] knowledge,” and was used by Facebook to determine “which companies to acquire, and which to treat as a threat.”
• Collins contends that “the files show evidence of Facebook taking aggressive positions against apps, with the consequence that denying them access to data led to the failure of that business.” Documents disclosed specifically indicate Facebook revoked API access to video sharing service Vine.

In a statement , Facebook claimed, “Six4Three… cherrypicked these documents from years ago.” Zuckerberg responded separately to the public disclosure on Facebook, acknowledging, “Like any organization, we had a lot of internal discussion and people raised different ideas.” He called the Facebook scrutiny “healthy given the vast number of people who use our services,” but said it shouldn’t “misrepresent our actions or motives.”

On December 14, 2018, a vulnerability was disclosed in the Facebook Photo API that existed between September 13-25, 2018, exposing private photos of 6.8 million users. The Photo API bug affected people who use Facebook to log in to third-party services.

On December 18, 2018, The New York Times reported on special data sharing agreements that “[exempted] business partners from its usual privacy rules, naming Microsoft’s Bing search engine, Netflix, Spotify, Amazon, and Yahoo as partners in the report. Partners were capable of accessing data including friend lists and private messages, “despite public statements it had stopped that type of sharing years earlier.” Facebook claimed the data sharing was about “helping people,” and that this was not done without user consent.

On January 17, 2019, Facebook disclosed that it removed hundreds of pages and accounts controlled by Russian propaganda organization Sputnik, including accounts posing as politicians from primarily Eastern European countries.

On January 29, 2019, a TechCrunch report uncovered the “Facebook Research” program , which paid users aged 13 to 35 to receive up to $20 per month to install a VPN application similar to Onavo that allowed Facebook to gather practically all information about how phones were used. On iOS, this was distributed using Apple’s Developer Enterprise Program, for which Apple briefly revoked Facebook’s certificate as a result of the controversy .

Facebook initially indicated that “less than 5% of the people who chose to participate in this market research program were teens,” and on March 1, 2019 amended the statement to “about 18 percent.”

On February 7, 2019, the German antitrust office ruled that Facebook must obtain consent before collecting data on non-Facebook members, following a three-year investigation.

On February 20, 2019, Facebook added new location controls to its Android app that allows users to limit background data collection when the app is not in use .

The same day, ZDNet reported that Microsoft’s Edge browser contained a secret whitelist allowing Facebook to run Adobe Flash, bypassing the click-to-play policy that other websites are subject to for Flash objects over 398×298 pixels. The whitelist was removed in the February 2019 Patch Tuesday update.

On March 6, 2019, Zuckerberg announced a plan to rebuild services around encryption and privacy , “over the next few years.” As part of these changes, Facebook will make messages between Facebook, Instagram, and WhatsApp interoperable. Former Microsoft executive Steven Sinofsky –who was fired after the poor reception of Windows 8–called the move “fantastic,” comparing it to Microsoft’s Trustworthy Computing initiative in 2002.

CNET and CBS News Senior Producer Dan Patterson noted on CBSN that Facebook can benefit from this consolidation by making the messaging platforms cheaper to operate, as well as profiting from users sending money through the messaging platform, in a business model similar to Venmo.

On March 21, 2019, Facebook disclosed a lapse in security that resulted in hundreds of millions of passwords being stored in plain text, affecting users of Facebook, Facebook Lite, and Instagram. Facebook claimed that “these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”

Though Facebook’s post does not provide specifics, a report by veteran security reporter Brian Krebs claimed “between 200 million and 600 million” users were affected, and that “more than 20,000 Facebook employees” would have had access.

On March 22, 2019, a court filing by the attorney general of Washington DC alleged that Facebook knew about the Cambridge Analytica scandal months prior to the first public reports in December 2015. Facebook claimed that employees knew of rumors relating to Cambridge Analytica, but the claims relate to a “different incident” than the main scandal, and insisted that the company did not mislead anyone about the timeline of the scandal.

Facebook is seeking to have the case filed in Washington DC dismissed, as well as to seal a document filed in that case.

On March 31, 2019, The Washington Post published an op-ed by Zuckerberg calling for governments and regulators to take a “more active role” in regulating the internet. Shortly after, Facebook introduced a feature that explains why content is shown to users on their news feeds .

On April 3, 2019, over 540 million Facebook-related records were found on two improperly protected AWS servers . The data was collected by Cultura Colectiva, a Mexico-based online media platform, using Facebook APIs. Amazon deactivated the associated account at Facebook’s request.

On April 15, 2019, it was discovered that Oculus, a company owned by Facebook, shipped VR headsets with internal etchings including text such as “ Big Brother is Watching .”

On April 18, 2019, Facebook disclosed the “unintentional” harvesting of email contacts belonging to approximately 1.5 million users over the course of three years. Affected users were asked to provide email address credentials to verify their identity.

On April 30, 2019, at Facebook’s F8 developer conference , the company unveiled plans to overhaul Messenger and re-orient Facebook to prioritize Groups instead of the timeline view, with Zuckerberg declaring “The future is private.”

On May 9, 2019, Facebook co-founder Chris Hughes called for Facebook to be broken up by government regulators, in an editorial in The New York Times. Hughes, who left the company in 2007, cited concerns that Zuckerberg has surrounded himself with people who do not challenge him . “We are a nation with a tradition of reining in monopolies, no matter how well-intentioned the leaders of these companies may be. Mark’s power is unprecedented and un-American,” Hughes said.

Proponents of a Facebook breakup typically point to unwinding the social network’s purchase of Instagram and WhatsApp.

Zuckerberg dismissed Hughes’ appeal for a breakup in comments to France 2, stating in part that “If what you care about is democracy and elections, then you want a company like us to invest billions of dollars a year, like we are, in building up really advanced tools to fight election interference.”

On May 24, 2019, a report from Motherboard claimed “multiple” staff members of Snapchat used internal tools to spy on users .

On July 8, 2019, Apple co-founder Steve Wozniak warned users to get off of Facebook .

On July 18, 2019, lawmakers in a House Committee on Financial Services hearing expressed mistrust of Facebook’s Libra cryptocurrency plan due to its “pattern of failing to keep consumer data private.” Lawmakers had previously issued a letter to Facebook requesting the company pause development of the project.

On July 24, 2019, the FTC announced a $5 billion settlement with Facebook over user privacy violations. Facebook agreed to conduct an overhaul of its consumer privacy practices as part of the settlement. Access to friend data by Sony and Facebook was “immediately” restricted as part of this settlement, according to CNET. Separately, the FTC settled with Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix , “restricting how they conduct any business in the future, and requiring them to delete or destroy any personal information they collected.” The FTC announced a lawsuit against Cambridge Analytica the same day.

Also on July 24, 2019, Netflix released “The Great Hack,” a documentary about the Cambridge Analytica scandal .

In early July, 2020, Facebook admitted to sharing user data with an estimated 5,000 third-party developers after it access to that data was supposed to expire.

Zuckerberg testified before Congress again on July 29, 2020, as part of an antitrust hearing that included Amazon’s Jeff Bezos, Apple’s Tim Cook, and Google’s Sundar Pichai . The hearing didn’t touch on Facebook’s data privacy scandal, and was instead focused on Facebook’s purchase of Instagram and WhatsApp , as well as its treatment of other competing services.

• Facebook knew of illicit user profile harvesting for 2 years, never acted (CBS News)
• Facebook’s FTC consent decree deal: What you need to know (CNET)
• Australia’s Facebook investigation expected to take at least 8 months (ZDNet)
• Election tech: The truth about Cambridge Analytica’s political big data (TechRepublic)
• Google sued by ACCC for allegedly linking data for ads without consent (ZDNet)
• Midterm elections, social media and hacking: What you need to know (CNET)
• Critical flaw revealed in Facebook Fizz TLS project (ZDNet)
• CCPA: What California’s new privacy law means for Facebook, Twitter users (CNET)

What are the key companies involved in the Facebook data privacy scandal?

In addition to Facebook, these are the companies connected to this data privacy story.

SCL Group (formerly Strategic Communication Laboratories) is at the center of the privacy scandal, though it has operated primarily through subsidiaries. Nominally, SCL was a behavioral research/strategic communication company based in the UK. The company was dissolved on May 1, 2018.

Cambridge Analytica and SCL USA are offshoots of SCL Group, primarily operating in the US. Registration documentation indicates the pair formally came into existence in 2013. As with SCL Group, the pair were dissolved on May 1, 2018.

Global Science Research was a market research firm based in the UK from 2014 to 2017. It was the originator of the thisisyourdigitiallife app. The personal data derived from the app (if not the app itself) was sold to Cambridge Analytica for use in campaign messaging.

Emerdata is the functional successor to SCL and Cambridge Analytica. It was founded in August 2017, with registration documents listing several people associated with SCL and Cambridge Analytica, as well as the same address as that of SCL Group’s London headquarters.

AggregateIQ is a Canadian consulting and technology company founded in 2013. The company produced Ripon, the software platform for Cambridge Analytica’s political campaign work, which leaked publicly after being discovered in an unprotected GitLab bucket .

Cubeyou is a US-based data analytics firm that also operated surveys on Facebook, and worked with Cambridge University from 2013 to 2015. It was suspended from Facebook in April 2018 following a CNBC report .

Six4Three was a US-based startup that created an app that used image recognition to identify photos of women in bikinis shared on Facebook users’ friends’ pages. The company sued Facebook in April 2015, when the app became inoperable after access to this data was revoked when the original version of Facebook’s Graph API was discontinued .

Onavo is an analytics company that develops mobile apps. They created Onavo Extend and Onavo Protect, which are VPN services for data protection and security, respectively. Facebook purchased the company in October 2013 . Data from Onavo is used by Facebook to track usage of non-Facebook apps on smartphones .

The Internet Research Agency is a St. Petersburg-based organization with ties to Russian intelligence services. The organization engages in politically-charged manipulation across English-language social media, including Facebook.

• If your organization advertises on Facebook, beware of these new limitations (TechRepublic)
• Data breach exposes Cambridge Analytica’s data mining tools (ZDNet)
• Was your business’s Twitter feed sold to Cambridge Analytica? (TechRepublic)
• US special counsel indicts 13 members of Russia’s election meddling troll farm (ZDNet)

Who are the key people involved in the Facebook data privacy scandal?

Nigel Oakes is the founder of SCL Group, the parent company of Cambridge Analytica. A report from Buzzfeed News unearthed a quote from 1992 in which Oakes stated, “We use the same techniques as Aristotle and Hitler. … We appeal to people on an emotional level to get them to agree on a functional level.”

Alexander Nix was the CEO of Cambridge Analytica and a director of SCL Group. He was suspended following reports detailing a video in which Nix claimed the company “offered bribes to smear opponents as corrupt,” and that it “campaigned secretly in elections… through front companies or using subcontractors.”

Robert Mercer is a conservative activist, computer scientist, and a co-founder of Cambridge Analytica. A New York Times report indicates that Mercer invested $15 million in the company. His daughters Jennifer Mercer and Rebekah Anne Mercer serve as directors of Emerdata.

Christopher Wylie is the former director of research at Cambridge Analytica. He provided information to The Guardian for its exposé of the Facebook data privacy scandal. He has since testified before committees in the US and UK about Cambridge Analytica’s involvement in this scandal.

Steve Bannon is a co-founder of Cambridge Analytica, as well as a founding member and former executive chairman of Breitbart News, an alt-right news outlet. Breitbart News has reportedly received funding from the Mercer family as far back as 2010. Bannon left Breitbart in January 2018. According to Christopher Wylie, Bannon is responsible for testing phrases such as “ drain the swamp ” at Cambridge Analytica, which were used extensively on Breitbart.

Aleksandr Kogan is a Senior Research Associate at Cambridge University and co-founder of Global Science Research, which created the data harvesting thisisyourdigitiallife app. He worked as a researcher and consultant for Facebook in 2013 and 2015. Kogan also received Russian government grants and is an associate professor at St. Petersburg State University, though he claims this is an honorary role .

Joseph Chancellor was a co-director of Global Science Research, which created the data harvesting thisisyourdigitiallife app. Around November 2015, he was hired by Facebook as a “quantitative social psychologist.” A spokesperson indicated on September 6, 2018, that he was no longer employed by Facebook.

Michal Kosinski , David Stillwell , and Thore Graepel are the researchers who proposed and developed the model to “psychometrically” analyze users based on their Facebook likes. At the time this model was published, Kosinski and Stillwell were affiliated with Cambridge University, while Graepel was affiliated with the Cambridge-based Microsoft Research. (None have an association with Cambridge Analytica, according to Cambridge University .)

Mark Zuckerberg is the founder and CEO of Facebook. He founded the website in 2004 from his dorm room at Harvard.

Sheryl Sandberg is the COO of Facebook. She left Google to join the company in March 2008. She became the eighth member of the company’s board of directors in 2012 and is the first woman in that role.

Damian Collins is a Conservative Party politician based in the United Kingdom. He currently serves as the Chair of the House of Commons Culture, Media and Sport Select Committee. Collins is responsible for issuing orders to seize documents from the American founder of Six4Three while he was traveling in London, and releasing those documents publicly.

Chris Hughes is one of four Facebook co-founders, who originally took on beta testing and feedback for the website, until leaving in 2007. Hughes is the first to call for Facebook to be broken up by regulators.

• Facebook investigates employee’s ties to Cambridge Analytica (CBS News)
• Aleksandr Kogan: The link between Cambridge Analytica and Facebook (CBS News)
• Video: Cambridge Analytica shuts down following data scandal (CBS News)

How have Facebook and Mark Zuckerberg responded to the data privacy scandal?

Each time Facebook finds itself embroiled in a privacy scandal, the general playbook seems to be the same: Mark Zuckerberg delivers an apology, with oft-recycled lines, such as “this was a big mistake,” or “I know we can do better.” Despite repeated controversies regarding Facebook’s handling of personal data, it has continued to gain new users. This is by design–founding president Sean Parker indicated at an Axios conference in November 2017 that the first step of building Facebook features was “How do we consume as much of your time and conscious attention as possible?” Parker also likened the design of Facebook to “exploiting a vulnerability in human psychology.”

On March 16, 2018, Facebook announced that SCL and Cambridge Analytica had been banned from the platform. The announcement indicated, correctly, that “Kogan gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time,” and passing the information to a third party was against the platform policies.

The following day, the announcement was amended to state:

The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.

On March 21, 2018, Mark Zuckerberg posted his first public statement about the issue, stating in part that:

“We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you. I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again.”

On March 26, 2018, Facebook placed full-page ads stating : “This was a breach of trust, and I’m sorry we didn’t do more at the time. We’re now taking steps to ensure this doesn’t happen again,” in The New York Times, The Washington Post, and The Wall Street Journal, as well as The Observer, The Sunday Times, Mail on Sunday, Sunday Mirror, Sunday Express, and Sunday Telegraph in the UK.

In a blog post on April 4, 2018, Facebook announced a series of changes to data handling practices and API access capabilities. Foremost among these include limiting the Events API, which is no longer able to access the guest list or wall posts. Additionally, Facebook removed the ability to search for users by phone number or email address and made changes to the account recovery process to fight scraping.

On April 10, 2018, and April 11, 2018, Mark Zuckerberg testified before Congress. Details about his testimony are in the next section of this article.

On April 10, 2018, Facebook announced the launch of its data abuse bug bounty program. While Facebook has an existing security bug bounty program, this is targeted specifically to prevent malicious users from engaging in data harvesting. There is no limit to how much Facebook could potentially pay in a bounty, though to date the highest amount the company has paid is $40,000 for a security bug.

On May 14, 2018, “around 200” apps were banned from Facebook as part of an investigation into if companies have abused APIs to harvest personal information. The company declined to provide a list of offending apps.

On May 22, 2018, Mark Zuckerberg testified, briefly, before the European Parliament about the data privacy scandal and Cambridge Analytica. The format of the testimony has been the subject of derision, as all of the questions were posed to Zuckerberg before he answered. Guy Verhofstadt, an EU Parliament member representing Belgium, said , “I asked you six ‘yes’ and ‘no’ questions, and I got not a single answer.”

What did Mark Zuckerberg say in his testimony to Congress?

In his Senate testimony on April 10, 2018, Zuckerberg reiterated his apology, stating that “We didn’t take a broad enough view of our responsibility, and that was a big mistake. And it was my mistake. And I’m sorry. I started Facebook, I run it, and I’m responsible for what happens here,” adding in a response to Sen. John Thune that “we try not to make the same mistake multiple times.. in general, a lot of the mistakes are around how people connect to each other, just because of the nature of the service.”

Sen. Amy Klobuchar asked if Facebook had determined whether Cambridge Analytica and the Internet Research Agency were targeting the same users. Zuckerberg replied, “We’re investigating that now. We believe that it is entirely possible that there will be a connection there.” According to NBC News , this was the first suggestion there is a link between the activities of Cambridge Analytica and the Russian disinformation campaign.

On June 11, 2018, nearly 500 pages of new testimony from Zuckerberg was released following promises of a follow-up to questions for which he did not have sufficient information to address during his Congressional testimony. The Washington Post notes that the release, “in some instances sidestepped lawmakers’ questions and concerns,” but that the questions being asked were not always relevant, particularly in the case of Sen. Ted Cruz, who attempted to bring attention to Facebook’s donations to political organizations, as well as how Facebook treats criticism of “Taylor Swift’s recent cover of an Earth, Wind and Fire song.”

• Facebook gave Apple, Samsung access to data about users — and their friends (CNET)
• Zuckerberg doubles down on Facebook’s fight against fake news, data misuse (CNET)
• Tech execs react to Mark Zuckerberg’s apology: “I think he’s sorry he has to testify” (CBS News)
• On Facebook, Zuckerberg gets privacy and you get nothing (ZDNet)
• 6 Facebook security mistakes to fix on Data Privacy Day (CNET)
• Zuckerberg takes Facebook data apology tour to Washington (CNET)
• Zuckerberg’s Senate hearing highlights in 10 minutes (CNET via YouTube)
• Russian politicians call on Facebook’s Mark Zuckerberg to testify on privacy (CNET)

What is the 2016 US presidential election connection to the Facebook data privacy scandal?

In December 2015, The Guardian broke the story of Cambridge Analytica being contracted by Ted Cruz’s campaign for the Republican Presidential Primary. Despite Cambridge Analytica CEO Alexander Nix’s claim i n an interview with TechRepublic that the company is “fundamentally politically agnostic and an apolitical organization,” the primary financier of the Cruz campaign is Cambridge Analytica co-founder Robert Mercer, who donated $11 million to a pro-Cruz Super PAC. Following Cruz’s withdrawal from the campaign in May 2016, the Mercer family began supporting Donald Trump.

In January 2016, Facebook COO Sheryl Sandberg told investors that the election was “a big deal in terms of ad spend,” and that through “using Facebook and Instagram ads you can target by congressional district, you can target by interest, you can target by demographics or any combination of those.”

In October 2017, Facebook announced changes to its advertising platform, requiring identity and location verification and prior authorization in order to run electoral advertising. In the wake of the fallout from the data privacy scandal, further restrictions were added in April 2018, making “issue ads” regarding topics of current interest similarly restricted .

In secretly recorded conversations by an undercover team from Channel 4 News, Cambridge Analytica’s Nix claimed the firm was behind the “defeat crooked Hillary” advertising campaign, adding, “We just put information into the bloodstream of the internet and then watch it grow, give it a little push every now and again over time to watch it take shape,” and that “this stuff infiltrates the online community, but with no branding, so it’s unattributable, untrackable.” The same exposé quotes Chief Data Officer Alex Tayler as saying, “When you think about the fact that Donald Trump lost the popular vote by 3 million votes but won the electoral college vote, that’s down to the data and the research.”

• How Cambridge Analytica used your Facebook data to help elect Trump (ZDNet)
• Facebook takes down fake accounts operated by ‘Roger Stone and his associates’ (ZDNet)
• Facebook, Cambridge Analytica and data mining: What you need to know (CNET)
• Civil rights auditors slam Facebook stance on Trump, voter suppression (ZDNet)
• The Trump campaign app is tapping a “gold mine” of data about Americans (CBS News)

What is the Brexit tie-in to the Facebook data privacy scandal?

AggregateIQ was retained by Nigel Farage’s Vote Leave organization in the Brexit campaign , and both The Guardian and BBC claim that the Canadian company is connected to Cambridge Analytica and its parent organization SCL Group. UpGuard, the organization that found a public GitLab instance with code from AggregateIQ, has extensively detailed its connection to Cambridge Analytica and its involvement in Brexit campaigning .

Additionally, The Guardian quotes Wylie as saying the company “was set up as a Canadian entity for people who wanted to work on SCL projects who didn’t want to move to London.”

• Brexit: A cheat sheet (TechRepublic)
• Facebook suspends another data analytics firm, AggregateIQ (CBS News)
• Lawmakers grill academic at heart of Facebook scandal (CBS News)

How is Facebook affected by the GDPR?

Like any organization providing services to users in European Union countries, Facebook is bound by the EU General Data Protection Regulation ( GDPR ). Due to the scrutiny Facebook is already facing regarding the Cambridge Analytica scandal, as well as the general nature of the social media giant’s product being personal information, its strategy for GDPR compliance is similarly receiving a great deal of focus from users and other companies looking for a model of compliance.

While in theory the GDPR is only applicable to people residing in the EU, Facebook will require users to review their data privacy settings. According to a ZDNet article , Facebook users will be asked if they want to see advertising based on partner information–in practice, websites that feature Facebook’s “Like” buttons. Users globally will be asked if they wish to continue sharing political, religious, and relationship information, while users in Europe and Canada will be given the option of switching automatic facial recognition on again.

Facebook members outside the US and Canada have heretofore been governed by the company’s terms of service in Ireland. This has reportedly been changed prior to the start of GDPR enforcement, as this would seemingly make Facebook liable for damages for users internationally, due to Ireland’s status as an EU member.

• Google, Facebook hit with serious GDPR complaints: Others will be soon (ZDNet)
• Facebook rolls out changes to comply with new EU privacy law (CBS News)
• European court strikes down EU-US Privacy Shield user data exchange agreement as invalid (ZDNet)
• GDPR security pack: Policies to protect data and achieve compliance (TechRepublic Premium)
• IT pro’s guide to GDPR compliance (free PDF) (TechRepublic)

What are Facebook “shadow profiles?”

“Shadow profiles” are stores of information that Facebook has obtained about other people–who are not necessarily Facebook users. The existence of “shadow profiles” was discovered as a result of a bug in 2013. When a user downloaded their Facebook history, that user would obtain not just his or her address book, but also the email addresses and phone numbers of their friends that other people had stored in their address books.

Facebook described the issue in an email to the affected users. This is an excerpt of the email, according to security site Packet Storm:

When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. Because of the bug, the email addresses and phone numbers used to make friend recommendations and reduce the number of invitations we send were inadvertently stored in their account on Facebook, along with their uploaded contacts. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, which included their uploaded contacts, they may have been provided with additional email addresses or telephone numbers.

Because of the way that Facebook synthesizes data in order to attribute collected data to existing profiles, data of people who do not have Facebook accounts congeals into dossiers, which are popularly called a “shadow profile.” It is unclear what other sources of input are added to said “shadow profiles,” a term that Facebook does not use, according to Zuckerberg in his Senate testimony.

• Shadow profiles: Facebook has information you didn’t hand over (CNET)
• Finally, the world is getting concerned about data privacy (TechRepublic)
• Firm: Facebook’s shadow profiles are ‘frightening’ dossiers on everyone (ZDNet)

What are the possible implications for enterprises and business users?

Business users and business accounts should be aware that they are as vulnerable as consumers to data exposure. Because Facebook harvests and shares metadata–including SMS and voice call records–between the company’s mobile applications, business users should be aware that their risk profile is the same as a consumer’s. The stakes for businesses and employees could be higher, given that incidental or accidental data exposure could expose the company to liability, IP theft, extortion attempts, and cybercriminals.

Though deleting or deactivating Facebook applications won’t prevent the company from creating so-called advertising “shadow profiles,” it will prevent the company from capturing geolocation and other sensitive data. For actional best practices, contact your company’s legal counsel.

• Social media policy (TechRepublic Premium)
• Want to attain and retain customers? Adopt data privacy policies (TechRepublic)
• Hiring kit: Digital campaign manager (TechRepublic Premium)
• Photos: All the tech celebrities and brands that have deleted Facebook (TechRepublic)

How can I change my Facebook privacy settings?

According to Facebook, in 2014 the company removed the ability for apps that friends use to collect information about an individual user. If you wish to disable third-party use of Facebook altogether–including Login With Facebook and apps that rely on Facebook profiles such as Tinder–this can be done in the Settings menu under Apps And Websites. The Apps, Websites And Games field has an Edit button–click that, and then click Turn Off.

Facebook has been proactively notifying users who had their data collected by Cambridge Analytica, though users can manually check to see if their data was shared by going to this Facebook Help page .

Facebook is also developing a Clear History button, which the company indicates is “their database record of you.” CNET and CBS News Senior Producer Dan Patterson noted on CBSN that “there aren’t a lot of specifics on what that clearing of the database will do, and of course, as soon as you log back in and start creating data again, you set a new cookie and you start the process again.”

To gain a better understanding of how Facebook handles user data, including what options can and cannot be modified by end users, it may be helpful to review Facebook’s Terms of Service , as well as its Data Policy and Cookies Policy .

• Ultimate guide to Facebook privacy and security (Download.com)
• Facebook’s new privacy tool lets you manage how you’re tracked across the web (CNET)
• Securing Facebook: Keep your data safe with these privacy settings (ZDNet)
• How to check if Facebook shared your data with Cambridge Analytica (CNET)

Note: This article was written and reported by James Sanders and Dan Patterson. It was updated by Brandon Vigliarolo.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Create a TechRepublic Account

Get the web's best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let's start with the basics.

* - indicates required fields

Sign in to TechRepublic

Lost your password? Request a new password

Reset Password

Please enter your email adress. You will receive an email message with instructions on how to reset your password.

Check your email for a password reset link. If you didn't receive an email don't forgot to check your spam folder, otherwise contact support .

Welcome. Tell us a little bit about you.

This will help us provide you with customized content.

Want to receive more TechRepublic news?

You're all set.

Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add [email protected] to your contacts list.

An official website of the United States government

Here’s how you know

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Take action

• Report an antitrust violation
• File adjudicative documents
• Find banned debt collectors
• View competition guidance
• Competition Matters Blog

Slow the Roll-up: Help Shine a Light on Serial Acquisitions

View all Competition Matters Blog posts

We work to advance government policies that protect consumers and promote competition.

View Policy

Search or browse the Legal Library

Find legal resources and guidance to understand your business responsibilities and comply with the law.

Browse legal resources

• Find policy statements
• Submit a public comment

Vision and Priorities

Memo from Chair Lina M. Khan to commission staff and commissioners regarding the vision and priorities for the FTC.

Technology Blog

P = np not exactly, but here are some research questions from the office of technology..

View all Technology Blog posts

Advice and Guidance

Learn more about your rights as a consumer and how to spot and avoid scams. Find the resources you need to understand how consumer protection law impacts your business.

• Report fraud
• Report identity theft
• Register for Do Not Call
• Sign up for consumer alerts

Get Business Blog updates

• Get your free credit report
• Find refund cases
• Order bulk publications
• Consumer Advice
• Shopping and Donating
• Credit, Loans, and Debt
• Jobs and Making Money
• Unwanted Calls, Emails, and Texts
• Identity Theft and Online Security
• Business Guidance
• Advertising and Marketing
• Credit and Finance
• Privacy and Security
• By Industry
• For Small Businesses
• Browse Business Guidance Resources
• Business Blog

Servicemembers: Your tool for financial readiness

Visit militaryconsumer.gov

Get consumer protection basics, plain and simple

Visit consumer.gov

Learn how the FTC protects free enterprise and consumers

Visit Competition Counts

Looking for competition guidance?

• Competition Guidance

News and Events

Latest news, ftc staff provides annual report to cfpb on 2023 activities regarding financial acts.

View News and Events

Upcoming Event

Chair lina m. khan will participate in a fireside chat at the 2024 cnbc ceo summit.

View more Events

Sign up for the latest news

Follow us on social media

-->   -->   -->   -->   -->  

Playing it Safe: Explore the FTC's Top Video Game Cases

Learn about the FTC's notable video game cases and what our agency is doing to keep the public safe.

Latest Data Visualization

FTC Refunds to Consumers

Explore refund statistics including where refunds were sent and the dollar amounts refunded with this visualization.

About the FTC

Our mission is protecting the public from deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education.

Learn more about the FTC

Meet the Chair

Lina M. Khan was sworn in as Chair of the Federal Trade Commission on June 15, 2021.

Chair Lina M. Khan

Looking for legal documents or records? Search the Legal Library instead.

• Cases and Proceedings
• Premerger Notification Program
• Merger Review
• Anticompetitive Practices
• Competition and Consumer Protection Guidance Documents
• Warning Letters
• Consumer Sentinel Network
• Criminal Liaison Unit
• FTC Refund Programs
• Notices of Penalty Offenses
• Advocacy and Research
• Advisory Opinions
• Cooperation Agreements
• Federal Register Notices
• Public Comments
• Policy Statements
• International
• Office of Technology Blog
• Military Consumer
• Consumer.gov
• Bulk Publications
• Data and Visualizations
• Stay Connected
• Commissioners and Staff
• Bureaus and Offices
• Budget and Strategy
• Office of Inspector General
• Careers at the FTC

FTC’s $5 billion Facebook settlement: Record-breaking and history-making

If you’ve ever wondered what a paradigm shift looks like, you’re witnessing one today. The FTC’s $5 billion civil penalty against Facebook for violations of an earlier FTC order is record-breaking and history-making. In addition, the settlement requires Facebook to implement changes to its privacy practices, its corporate structure, and the role of CEO Mark Zuckerberg that are seismic in scope. Simply put, when it comes to the business of consumer privacy, it’s no longer business as usual at Facebook.

Why the FTC sued Facebook in 2012

In 2012, the FTC charged Facebook with eight separate privacy-related violations, including that the company made deceptive claims about consumers’ ability to control the privacy of their personal data. One specific count alleged that Facebook allowed users to choose settings that supposedly limited access to their information just to “friends” without adequate disclosures that another setting allowed that same information to be shared with the developers of apps those friends used. Put another way, suppose Consumer A restricted access to friends and designated Consumer B as a friend. If Consumer B used a particular app on Facebook – let’s say a game – the game developer could access information about Consumer A, including data designated as private. That was all going on behind the scenes without a clear disclosure to Consumer A and in flagrant disregard of that person’s privacy choices.

To settle that case, Facebook agreed to an order that, among other things: 1) prohibited Facebook from making misrepresentations about the privacy or security of consumers’ information, 2) prohibited Facebook from misrepresenting the extent to which it shares personal data, and 3) required Facebook to implement a reasonable privacy program.

According to the FTC, Facebook flouted that order in multiple ways, and today’s settlement holds them accountable for putting profits over their privacy promises.

How Facebook violated the 2012 FTC order and the FTC Act

Under the 2012 order, Facebook must honor consumers’ privacy choices or face an order enforcement action, which can result in substantial civil penalties not legally available to the FTC in an initial lawsuit. The FTC alleges that since agreeing to that settlement, Facebook repeatedly misrepresented the extent to which users could control the privacy of their data.

But according to the FTC, even if people chose the most restrictive settings those tools allowed, Facebook made consumers’ personal data accessible to companies that developed apps used by consumers’ friends. To name just a few categories, that included the news and books they were reading, their relationship details, their religious and political views, their work history, their photos, and the videos they watched. Facebook did offer a setting to ensure users’ privacy preferences would be honored, but it was hidden away in a place people were unlikely to look. And it wasn’t directly accessible from the very tools the company touted as the way for consumers to “review and edit the privacy of key pieces of information.”

Furthermore, at the 2014 F8 conference – a gathering of companies that build products and services around Facebook – Facebook announced that it was no longer allowing third-party developers to collect data about the friends of app users. However, Facebook was separately telling developers with existing apps on the platform that they could continue to collect friends’ personal data for another year. And even after that period elapsed, Facebook continued to provide certain developers with access to friend data for years to come. The FTC says it took Facebook until at least June 2018 to stop providing access to this data to certain third-party apps.

Another way the FTC says Facebook violated the order was by failing to adequately assess and address privacy risks posed by third-party developers. Other than getting developers to click an “I agree” terms-and-conditions box when registering an app with the Facebook Platform, Facebook didn’t screen developers or their apps before giving them access to massive amounts of data that users had designated as private. Of course, in the wrong hands, information like that can grease the wheels for identity thieves and fraudsters. One particularly troubling charge is that when Facebook learned that app developers were violating Facebook’s terms, Facebook’s enforcement action was often influenced by how much advertising money the app developer spent with Facebook. Just how much user data was improperly disclosed? Facebook’s poor recordkeeping makes that difficult to determine.

According to the complaint , another way Facebook misrepresented the extent to which users could control the privacy of their data related to a form of technology that raises particular concerns for many consumers: facial recognition. In an April 2018 update to its Data Policy, Facebook represented to consumers, “Face recognition: If you have it turned on, we use face recognition technology to recognize you in photos, videos and camera experiences.” The complaint alleges that this statement was deceptive to tens of millions of users who have Facebook’s facial recognition setting, “Tag Suggestions,” because that setting was turned on by default and the updated Data Policy suggested that users would need to opt-in to having facial recognition enabled for their accounts.

In addition, the complaint charges Facebook with a new violation of the FTC Act. You know how Facebook asks users for their mobile phone number to help secure their accounts or reset their passwords? According to the complaint, Facebook didn’t tell people it also used that phone number to serve them with ads.

It boils down to this. In the face of consumers’ intent to limit information-sharing to a select few, Facebook ignored them and shared it broadly. Facebook did that despite its privacy promises, despite consumers’ efforts to protect their privacy, and despite the terms of the 2012 order. Why? To further Facebook’s financial interests.

How the new order will change Facebook’s approach to consumer privacy

The $5 billion civil penalty is the largest ever imposed on a company anywhere for violating consumers ’ privacy. What ’ s more, the penalty – which, by law, goes to the U.S. Treasury (not the FTC) – is one of the largest penalties ever assessed by the U.S. government for any violation. It’s designed to make all companies – not just Facebook – sit up, take notice, and rethink their practices.

Could the FTC have won a bigger civil penalty by going to court? Probably not. Judges tend to evaluate financial remedies in comparison with cases that have gone before it. That’s why we think the financial settlement is in the public interest. It has the added benefit of establishing a new benchmark when the FTC challenges privacy violations in the future.

The order imposes additional requirements to address Facebook’s illegal conduct. For example, Facebook must implement a stringent program to monitor third-party developers and terminate access to any developer that doesn’t follow the rules. In addition, Facebook can’t use for advertising purposes the phone numbers it obtained specifically for security. When it comes to facial recognition technology, the order requires Facebook to give clear notice of how it uses that information and it must get consumers’ express consent before putting that data to a materially different use. Facebook also will have to encrypt passwords and can’t ask people for their passwords to other services, and must report any privacy incident to the FTC within 30 days. On top of everything Facebook will have to do to protect consumers’ privacy, it also has to implement a comprehensive data security program. Another important consideration: These new accountability provisions don’t just apply to Facebook. They also apply to companies Facebook controls, like Instagram, WhatsApp, and other Facebook-owned affiliates that it shares consumers’ information with between now and 2039.

But don’t let a focus on the record-setting financial and conduct remedies distract from just how monumental a change the order imposes on Facebook’s privacy ecosystem and CEO Mark Zuckerberg’s job description. The order explains in detail a new system of independent control, multi-layer accountability, and personal responsibility over Facebook’s practices, and substantially limits Mr. Zuckerberg’s unfettered say in privacy decisions. In fact, for the next 20 years, anytime Facebook makes a privacy decision, multiple independent watchdogs will be looking over its shoulder. You’ll want to read the order in depth, but here are some highlights of ways that business is about to change at Facebook.

Who will carry out Facebook’s day-to-day privacy program? Designated compliance officers. Expert compliance officers, who must be approved by the Independent Privacy Committee, will implement and maintain Facebook’s privacy program. The compliance officers will be responsible for documenting every material privacy decision in detail. They’ll provide that documentation quarterly to the third-party assessor and CEO Zuckerberg. They also will have to certify quarterly to the FTC that Facebook is complying fully with the privacy program. If that’s not the case, the compliance officers will throw a flag that triggers even closer FTC scrutiny. In addition, the independent assessor will meet with the Independent Privacy Committee four times a year outside the presence of Facebook officers and employees. What if Facebook doesn’t like what the compliance officers are doing? Tough. Only the Independent Privacy Committee can remove them from the job.

Who else will be watching Facebook? A third-party assessor with broad monitoring powers. The assessor – who must be appointed with FTC approval – will provide an independent evaluation of Facebook’s privacy practices every two years. The order mandates that the assessor must subject Facebook to substantial scrutiny and can’t just take management’s word for what’s happening. In effect, the assessor must kick the tires, look under the hood, put it up on the lift, conduct diagnostics, and take it for a test drive. And again, Facebook will not be able to remove the assessor on its own.

How much of a role will CEO Mark Zuckerberg play in making final privacy decisions for the company? Substantially less, but he’ll have much more on the line personally. Mr. Zuckerberg will get a copy of Facebook’s written privacy program and quarterly reports of privacy decisions. But he does not control the Independent Privacy Committee, the designated compliance officers, or the third-party assessor. However, the order does impose a major requirement on him. Facebook’s CEO must certify quarterly to the FTC that the company’s privacy program complies with the order. A false certification could trigger civil or even criminal penalties.

How much access will the FTC have to Facebook’s privacy decisions? An unprecedented amount. The order gives the FTC unparalleled access to Facebook’s decision-making. Upon request, the FTC will get written documentation of every privacy decision Facebook makes and copies of the third-party assessor’s reports. (Remember that the FTC has to approve who gets hired as the assessor.) The order also includes tools that slice through any red tape that could have hindered the FTC’s ability to get records, conduct interviews, or take other steps to monitor Facebook’s compliance.

The goal of the FTC’s settlement is the creation of a new culture at Facebook where the company finally lives up to the privacy promises it has made to the millions of American consumers who use its platform.    

• Consumer Protection
• Bureau of Consumer Protection
• Consumer Privacy

Read Our Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s  computer user records  system. We may routinely use these records as described in the FTC’s  Privacy Act system notices . For more information on how the FTC handles information that we collect, please read our privacy policy .

Read Our Comment Policy

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

• We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
• We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
• We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
• We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Carla July 24, 2019 how will the FTC’s $5 billion civil penalty against Facebook be used ?

In reply to how will the FTC’s $5 by Carla

T he penalty, by law, goes to the U.S. Treasury, not the FTC. It is one of the largest penalties ever assessed by the U.S. government for any violation.

Jamie July 24, 2019 And does the fine go to the users whose privacies were violated?

In reply to And does the fine go to the by Jamie

The penalty, by law, goes to the U.S. Treasury, not the FTC. It is one of the largest penalties ever assessed by the U.S. government for any violation.

Bill Brigham July 24, 2019 Facebook engaged in massive criminal fraud and other crimes for almost a decade. Despite acting as a criminal enterprise, FB and Zuckerberg have not faced criminal charges. The injunction only orders them ... yet again ... to stop their criminal acts. And the fine, for a criminal organization of FB's size, is just a 'slap on the wrist.' Why no meaningful fines? And why no criminal charges. Among others, there is obvious mail fraud 18 USC 1341; false representation 39 USC 3005; criminal privacy violations; state and federal frauds of many sorts; violation of right of publicity laws, and much more.

Thomas W Otte July 28, 2019 So what does this mean to the millions on Facebook?

Guest August 13, 2019 I have been violated by Facebook repeatedly over and over and over there is record still in their systems and I hold some information on some of my other phones and I'm still being violated by consumers calling me from every area I can't make one phone call or send an email to someone because they've already got my information and they call me constantly acting is there somebody else related to that company that I've contacted

RIZUAN BIN A R… August 21, 2019 If deactivate and delete all my social account will get my life back please deleting everything about me...everybody just playing with my life...hopefully GOD will take me soon...

In reply to If deactivate and delete all by RIZUAN BIN A R…

Sean C September 19, 2019 Do corporate structures where founders hold a majority of the votes no matter their economic share (such as Facebook or Google) reduce accountability, ultimately leading to abuses like this?

NZN September 23, 2019 "Facebook was separately telling developers with existing apps on the platform" .. you know, their friends. This act, repeatedly deployed, has perverted our marketplace of ideas and fair competition, providing certain messages, and voices to find access to opportunities that were being led by their true leaders authentically. Our country has been robbed of its true leaders, and in their place we have been manipulated by a social graph, that has selected a victorious structure of "friends" with whom special information was shared and leveraged, both personally, and using the vast wealth of Facebook. It is not enough to just fine Facebook. The nature of the offense must be considered by balanced and judicious minds, and the nature of the perversion must be taken account of in considering the real harm that Facebook's existence has endeavored upon. The personal details of peoples lives, their intimate real time and ancestral connections, their mental conditions and living circumstances are now under the data control of a single service provider, incorporated in the UNITED STATES OF AMERICA, using the legal identifier of its citizenry to affect its marketplace, its politics, its elections, and its very soul as a civilization, self led.

Guest November 24, 2019 They blocked my postings till dec 1 2019 ..... So sad .. they seeing our privacy information etc

In reply to They blocked my postings till by Guest

More from the Business Blog

Safeguards rule notification requirement now in effect, aqua finance’s sales, financing, and fcra practices land company in hot water, bluesnap complaint alleges unfair payment processing and credit card laundering: don’t lather, don’t rinse, and definitely don’t repeat, small businesses: ftc has your back this week – and every week.

Facebook is garnering headlines for another data leak putting users' privacy at risk. The latest incident involves the personal information of 533 million Facebook users from 106 different countries as apparently discovered by Alon Gal, co-founder and CTO of cybercrime intelligence firm Hudson Rock .

In an April 3 tweet , Gal said the data, which includes Facebook members' account creation date, bio, birthdate, Facebook IT, full name, location, past location and relationship status, has been made available free to members of a hacking forum.

In a January 14 post, he said an early 2020 vulnerability that exposed the phone numbers linked to every Facebook account had been exploited and that a hacker had advertised a paid bot that would allow users to query the database. Facebook claims the data must have been scraped prior to September 2019, before the vulnerability was addressed.

Facebook has no plans to notify individuals whose information was exposed because the company claims it does not know who was affected. Despite the patch in September 2019, 419 million records were leaked which contained user IDs and phone numbers that same month . Then in December 2019, a Ukrainian researcher discovered a database on the open Internet which included the personal information of more than 267 million Facebook users.

Interestingly, in July 2019, the FTC announced that it had completed a year-long investigation and concluded that Facebook had "used deceptive disclosures and settings to undermine users' privacy preferences" in violation of a 2012 FTC order . Specifically, third-party apps were allowed to collect the personal information of Facebook members whose friends had downloaded the apps.

According to the new 20-year settlement order :

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

• Facebook must pay a $5 bn fine which the FTC claims is unprecedented.
• Facebook's board must form an independent privacy committee "removing unfettered control by Facebook's CEO Mark Zuckerberg over decisions affecting user privacy."
• Zuckerberg and Facebook compliance officers must independently file certifications with the FTC quarterly, which state the company is complying with the order.
• A third-party assessor must make biennial assessments of Facebook's privacy program to identify any gaps and report to the new privacy board on a quarterly basis.
• The FTC can monitor Facebook's compliance using discovery tools provided by the Federal Rules of Civil Procedure .
• Every new or modified Facebook, Instagram, or WhatsApps product, service or practice must undergo a privacy review before it's implemented.
• If the data of 500 or more users has been compromised by a breach, the incident must be documented and shared with the FTC and the assessor within 20 days of the incident.

Other requirements can be found here , but yet another database of Facebook user information was just discovered .

Data privacy is a serious issue that organizations need to address proactively. While behemoths like Facebook can weather a $5 bn fine , lesser fines could be fatal to smaller organizations. A responsible approach to privacy should include:

• Privacy by design so the right guardrails are built into products and services.
• Penetration testing to identify weak areas.
• Patching to avoid unnecessary vulnerabilities.
• Board-level oversight to ensure that privacy is given the attention it deserves.
• Compliance officers or a compliance officer, depending on the size of the company, whose job it is to ensure compliance.
• Data governance to avoid data misuse.
• Continuous monitoring to prevent or minimize data exfiltration.
• Scenario planning in case a breach occurs.
• A plan to notify affected victims and law enforcement should a PII leak occur.
• Ongoing security awareness training for IT and non-technical personnel to reduce the risk of inadvertent mistakes.

FIND CONTENT BY TYPE

• Case Studies
• White Papers

Cyber Security Hub COMMUNITY

• Advertise with us
• Cookie Policy
• User Agreement
• Become a Contributor
• All Access from CS Hub
• Become a Member Today
• Media Partners

ADVERTISE WITH US

Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.

JOIN THE Cyber Security Hub COMMUNITY

Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.

Cyber Security Hub, a division of IQPC

Careers With IQPC | Contact Us | About Us | Cookie Policy

Become a Member today!

PLEASE ENTER YOUR EMAIL TO JOIN FOR FREE

Already an IQPC Community Member? Sign in Here or Forgot Password Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.

We respect your privacy, by clicking 'Subscribe' you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here . You can unsubscribe at any time.

• Today's news
• Reviews and deals
• Climate change
• 2024 election
• Fall allergies
• Health news
• Mental health
• Sexual health
• Family health
• So mini ways
• Unapologetically
• Buying guides

Entertainment

• How to Watch
• My Portfolio
• Latest News
• Stock Market
• Premium News
• Biden Economy
• EV Deep Dive
• Stocks: Most Actives
• Stocks: Gainers
• Stocks: Losers
• Trending Tickers
• World Indices
• US Treasury Bonds
• Top Mutual Funds
• Highest Open Interest
• Highest Implied Volatility
• Stock Comparison
• Advanced Charts
• Currency Converter
• Basic Materials
• Communication Services
• Consumer Cyclical
• Consumer Defensive
• Financial Services
• Industrials
• Real Estate
• Mutual Funds
• Credit cards
• Balance Transfer Cards
• Cash-back Cards
• Rewards Cards
• Travel Cards
• Student Loans
• Personal Loans
• Car Insurance
• Morning Brief
• Market Domination
• Market Domination Overtime
• Asking for a Trend
• Opening Bid
• Stocks in Translation
• Lead This Way
• Good Buy or Goodbye?
• Fantasy football
• Pro Pick 'Em
• College Pick 'Em
• Fantasy baseball
• Fantasy hockey
• Fantasy basketball
• Download the app
• Daily fantasy
• Scores and schedules
• GameChannel
• World Baseball Classic
• Premier League
• CONCACAF League
• Champions League
• Motorsports
• Horse racing
• Newsletters

New on Yahoo

• Privacy Dashboard

Yahoo Finance

Facebook data breach 2019: 540 million users’ records exposed.

Facebook (NASDAQ: FB ) had more than 540 million records regarding its users that were publicly exposed, according to a cybersecurity research firm.

Source: Facebook

UpGuard announced on Wednesday that this data was exposed on Amazon’s cloud computing service, as two third-party Facebook app developers posted these records for all to see. This marks the second such data breach for the social media site as the company faced a similar fate last year.

The firm said that a Mexico-based media company called Cultura Colectiva was to blame for the leak, exposing roughly 146 gigabytes of Facebook user data. This included account names, IDs, as well as details about comments and reactions to posts, although it’s unclear the number of individual users that had their data exposed.

InvestorPlace - Stock Market News, Stock Advice & Trading Tips

There was also an app called At the Pool that exposed databases that included data regarding Facebook user IDs, friends, photos, as well as location check ins. The app also found unprotected Facebook passwords for 22,000 users. The app was designed to help people meet up for offline activities and it shut down in 2014.

UpGuard said it told Cultura Colectiva and Amazon about the breaches back in January, but no action was taken until yesterday morning. An Amazon “storage bucket” containing the data from Cultura Colectiva was reportedly secured, according to Facebook. The data from At the Pool made its way offline before UpGuard reached the business about it.

FB stock is up 1.3% Thursday.

More From InvestorPlace

The Elite 8 Stocks to Buy for Massive Outperformance

15 Stocks to Buy Leading the Financial Charge

8 Best Stocks to Buy for an April Rally

Compare Brokers

The post Facebook Data Breach 2019: 540 Million Users’ Records Exposed appeared first on InvestorPlace .

Facebook and Data Privacy in the Age of Cambridge Analytica

April 30, 2018

Iga Kozlowska

In recent weeks, the world has been intently following the Cambridge Analytica revelations: millions of Facebook users’ personal data was used, without their knowledge, to aide the political campaigns of conservative candidates in the 2016 election, including Donald Trump. While not exactly a data breach, from the public response to this incident, it is clear that the vast majority of Facebook users did not knowingly consent to have their personal information used in this way.

What is certain is that Facebook, the world’s largest social network platform, serving over two billion customers globally, is facing public scrutiny like never before. With data breaches, ransomware attacks, and identity theft a regular occurrence in this digitally driven economy, this event is different. For the first time, we see the mishandling of social data for political purposes on a mass scale. [1] It remains to be seen whether this will be a watershed moment for rethinking how we use personal data in the modern age. It is also unclear whether this experience will change companies’ and consumers’ privacy practices forever. For now, however, Facebook users and investors, American and foreign governments, and numerous regulatory bodies are paying attention.

Cambridge Analytica and Facebook

In 2013, University of Cambridge psychology professor Dr. Aleksandr Kogan created an application called “thisisyourdigitallife.” This app, offered on Facebook, provided users with a personality quiz. After a Facebook user downloads the app, it would start collecting that person’s personal information such as profile information and Facebook activity (e.g., what content was “liked”). Around 300,000 people downloaded the app. But the data collection didn’t stop there. Because the app also collected information about those users’ friends, who had their privacy settings set to allow it, the app collected data from about 87 million people. [2]

Next, Dr. Kogan passed this data on to Strategic Communication Laboratories (SCL), which owns Cambridge Analytica (CA), a political consulting firm that uses data to determine voter personality traits and behavior. [3] It then uses this data to help conservative campaigns target online advertisements and messaging. It is precisely at this point of data transfer from Dr. Kogan to other third parties like CA that Dr. Kogan violated Facebook’s terms of service, which prohibit the transfer or sale of data “to any ad network, data broker or other advertising or monetization-related service.” [4]

When Facebook learned about this in 2015, it removed Kogan’s app and demanded certifications from Kogan, and CA that they had deleted the data. Kogan and CA all certified to Facebook that they destroyed the data. However, copies of the data remained beyond Facebook’s control. While Alexander Nix, the CEO of CA, has told lawmakers that the company does not have Facebook data, “a former employee said that he had recently seen hundreds of gigabytes on CA servers, and that the files were not encrypted” reports the New York Times. [5]

In 2015, Facebook did not make any public statements regarding the incident, nor did it inform those users whose data was shared with CA. [6] Neither did Facebook report the incident to Federal Trade Commission, the US agency that oversees privacy-related issues. As Mark Zuckerberg, Facebook CEO, said during his two-day Congressional hearing on April 9 and April 10, 2018, once they received CA’s attestation that the data has been deleted and is no longer being used, Facebook considered the “case closed.” [7]

With the breaking of the story on March 17, 2018 in The Guardian [8] and the New York Times [9] , Facebook was made aware that the data in fact have not been purged to this day. The fallout from this incident has been unprecedented. Facebook is facing numerous lawsuits, US, UK, and EU governmental inquiries, a #DeleteFacebook boycott campaign, and a sharp drop in share price that’s erased nearly $50 billion of the company’s market capitalization in a mere three days of the news breaking [10] .

This is not the first time, however, that Facebook, has faced issues related to its data collection and processing. [11] And, it is not the first time that it has faced regulatory scrutiny. For example, in 2011, the FTC settled a 20-year consent decree with Facebook, having found that Facebook routinely deceived its users by sharing personal data with third parties that users thought was private. [12] It is only now that Facebook’s irresponsible behavior is receiving widespread public scrutiny. Whereas warnings from privacy and security professionals to date have been large falling on deaf ears; why has this event capturing the attention of consumers, companies, and governments the world over?

We have seen international data breach cases at this scale before. Indeed, data breaches, identify theft, ransomware, and other cybersecurity attacks have become ubiquitous in a digital global economy that runs on data. [13] In the last five years, we have witnessed the 2013 Snowden revelations of mass global government surveillance and the 2014 North Korean attack on Sony, a US corporation. [14] The average consumer has been hit hard as well. The 2013 Target data breach resulted in 40 million compromised payment cards. [15] The 2016 Yahoo attack compromised 500 million accounts [16] and the 2017 Equifax hack compromised 143 million. [17] It doesn’t help that, at the same time as the Cambridge Analytica incident, Facebook discovered a vulnerability in its search and account recovery features that may have allowed bad actors to harvest the public profile information of most of its two billion users . [18] It seems that the public feels that enough is enough.

Beyond the scale of the event, the Cambridge Analytica incident involves arguably the most serious misuse and mishandling of consumer data we’ve yet seen. The purpose for which the data was illegally harvested is new and it hits a nerve with an American society that is already politically divided and where political emotions run high. Funded by Robert Mercer, a prominent Republican donor, and Stephen Bannon, Trump’s former political adviser, CA was using the data for explicit political purposes – to help conservative campaigns in the 2016 election, including Donald Trump’s campaign. [19] Neither the 3000,000 Facebook users who downloaded the app nor their 87 million friends anticipated that their personal data could be used for these political purposes. It’s one thing if customer data is used to serve bothersome ads, or a hacker steals credit card information for economic gain, but it’s another if the world’s largest social network was taken advantage of to help elect the president of the United States. So what exactly is Facebook’s accountability in all this?

From Data Breach to Breach of Trust

Was this incident a data breach? Facebook first responded on March 17, 2018 in a Facebook post by Paul Grewal, VP & Deputy General Counsel, who wrote that, “The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.” [20] That same day, Alex Stamos, Facebook’s Chief Security Officer, tweeted (and later deleted the tweet) that, “Kogan did not break into any systems, bypass any technical controls, our use a flaw in our software to gather more data than allowed. He did, however, misuse that data after he gathered it, but that does not retroactively make it a ‘breach.'” [21]

This is true. According to the International Organization for Standardization and the International Electrotechnical Commission – two bodies that govern global security best practices – the definition of data breach is as follows: “a compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed.” [22] Because Facebook’s systems were not penetrated and the data was mishandled by a third-party in explicit violation of Facebook’s terms of service, the incident does not qualify as a data breach as understood by the global cybersecurity community. But what about everyone else?

Facebook quickly understood, however, that to millions of users whose data was mishandled, this incident felt like a data breach. [23] Despite the fact that technically all 87 million Facebook users consented to Kogan’s app collecting their personal data by not changing their privacy settings accordingly, the public outcry reveals that they do not feel that they authorized the app to access their data, let alone share it with a third party like CA. Facebook’s defense that it does provide users with controls to determine what types of data they want to share with which apps and what can be shared with apps that their friends use felt empty to customers who are largely unaware of these controls because Facebook does not make it easy to access them. Moreover, Facebook’s privacy settings are by default not set for privacy. This is, at least in part, because, as was made clear in the Congressional hearings this month, Facebook’s business model relies on app developers’ access to their users’ data for targeted advertising, which makes up over 90% of Facebook’s revenue. In other words, Facebook’s business model conflicts with privacy-friendly policies. [24]

Quickly recognizing this, Facebook pivoted, took some responsibility, and rather than argue the fine points of data breach definitions, apologized for what was experienced by customers as a breach of trust. Only five days after the story broke, Zuckerberg wrote in a Facebook post, “This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.” [25] That week Facebook took out full-page ads in nine major US and international newspapers with the message: “This was a breach of trust and I’m sorry we didn’t do more at the time. I promise to do better for you.” [26] Recognizing the complex digital ecosystem Zuckerberg said in his opening remarks at the Congressional hearing that, “We didn’t take a broad enough view of what our responsibility is. That was a huge mistake, and it was my mistake.” [27]

This “apology tour,” as Senator Blumenthal dubbed it, will be meaningless without concrete policy changes. [28] Facebook has already instituted some changes. For example, they have tightened some of the APIs that allow apps to harvest data like information about which events a user hosts or attends, the groups to which they belong, and page posts and comments. Apps that have not been used in more than three months will no longer be able to collect user data. [29] In addition, Facebook will now be authorizing those who want to place political or issues ads on Facebook’s platform by validating their identity and location. [30] These ads will be marked as ads and will show who has paid for them. In addition, in June, Facebook plans to launch a public and searchable political ads archive. [31] Finally, Facebook has started a partnership with scholars who will work out a new model for academics to gain access to social media data for research purposes. The plan is to “form a commission which, as a trusted third party, receives access to all relevant firm information and systems, and then recruits independent academics to do research in specific areas following standard peer review protocols organized and funded by nonprofit foundations.” [32] This should not only allow scholars greater access to social data but also safeguard against its misuse, as in the case of Dr. Kogan, by clearly distinguishing between data use for scholarly research and data use for advertising and other secondary purposes.

It remains to be seen just how extensive and impactful Facebook’s policy changes will be. Zuckerberg’s performance at the Congressional hearings was reported positively by the media and Facebook’s stock price regained much of the value it lost since the Cambridge Analytica story broke. However, this is in part because the Senators did not ask specific and pointed questions on what compliance policies Facebook will actually implement. [33] For example, the conversation around the balance between short privacy notices that are reader-friendly and longer and more comprehensive notices written in “legalese” resulted in Zuckerberg signaling that he knows that this debate among privacy professionals exists but did not lead to a commitment by Facebook to make their privacy policies more transparent. [34]

When Zuckerberg did mention specific policy changes, not all of them were new changes responding to this incident. For example, Zuckerberg announced Facebook’s application of the European General Data Protection Regulation (GDPR) to all Facebook customers, not just Europeans, as a heroic move of self-regulation. [35] However, it should not have taken Facebook this long to announce this position. Limiting the GDPR to EU citizens only, is not only shortsighted as the GDPR becomes de facto global privacy standard, but also unfair to non-EU citizens who would enjoy less privacy protections. In other words, while the Congressional hearing and Facebook’s initial policy changes are a good start, this should only be the beginning of Facebook’s journey toward improved transparency and data protection.

Lessons Learned

What are the lessons learned from the Cambridge Analytica incident for consumers, for companies, and for governments?

Consumers must recognize that their data has value. Consumers should educate themselves on how companies, especially ones that offer free service like Facebook and Google, use their personal data to drive their businesses. Consumers should read privacy notices and take advantage of the in-product user controls that most tech companies offer. Consumers should take advantage of their rights to request that a company let them view, edit, and delete their personal data because after all, consumers own their data, not companies. When companies engage in fraudulent or deceitful data handling practices, consumers should file complaints with the FTC or other appropriate regulatory bodies. Finally, consumers should advocate for more transparency and controls from companies and demand that their elected officials do more to protect privacy.

Companies that electronically process personal data – which is now practically every company in the world – must learn to better balance privacy risks with privacy controls. The riskier the data use, the more user controls are required. The more sensitive the data, the more protections should be put in place. Controls can include explicit consent, reader-friendly and prominent privacy notices, and privacy-friendly default settings. Company leaders should do more than just follow the letter of the law by putting themselves in their customers’ shoes. How do customers expect their data to be used when they hand it over? Is consent given? And is it truly freely given, specific, informed, and unambiguous? Moreover, as Facebook learned the hard way, there will always be bad actors. When sharing data with third parties, companies would do well to go the extra mile and ensure that those companies are meeting the company’s privacy requirements by investing in independent audits. When receiving data from third parties, companies should confirm that that data was collected in compliant manner, not by taking their vendors’ word for it, but again, by conducting period audits.

And finally, governments, in this digitally connected global marketplace, must reform outdated legislation so that it addresses the modern complexities of international data usage and transfers. The European Union, for example, is setting a global example, through the General Data Protection Regulation that comes into effect May 25, 2018. Seven years in the making, this is a comprehensive piece of legislation that (1) expands data subjects’ rights (2) enforces 72-hour data breach notifications (3) expands accountability measures and (4) improves enforcement capabilities through levying fines of up to 4% of global revenue. Although applicable only to European residents and citizens, most multi-national tech companies like Facebook, Google, and Microsoft are implementing these standards for all of their customers. However, it is high-time, that the US Congress find the political will to pass similar privacy protections for US consumers so that everyone can take advantage of the opportunities that come with the 21 st century digital economy.

[1] For an account of Facebook’s role in undermining democracy see: Vaidhyanathan, Siva. 2018. Antisocial Media : How Facebook Disconnects Us And Undermines Democracy . Oxford University Press. See also Heilbing, Dirk et al . 2017. “Will Democracy Survive Big Data and Artificial Intelligence?” Scientific American . https://www.scientificamerican.com/article/will-democracy-survive-big-data-and-artificial-intelligence/ Accessed 4/22/2018.

[2] Kang, Cecilia and Sheera Frenkel. “Facebook Says Cambridge Analytica Harvested Data of Up to 87 Million Users.” The New York Times . April 4, 2018. https://www.nytimes.com/2018/04/04/technology/mark-zuckerberg-testify-congress.html Accessed 4/26/18.

[3] Rosenberg, Matthew et al . “How Trump Consultants Exploited the Facebook Data of Millions.” The New York Times . March 17, 2018. https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html Accessed 4/26/18.

[4] Granville, Kevin. “Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens.” The New York Times . March 19, 2018. https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html Accessed 4/15/18.

[5] Rosenberg, 2018.

[6] Rosenberg, 2018.

[7] “Facebook CEO Mark Zuckerberg Hearing on Data Privacy and Protection.” C-SPAN. April 10, 2018. https://www.c-span.org/video/?443543-1/facebook-ceo-mark-zuckerberg-testifies-data-protection%20Accessed%204/15/18 Accessed 4/26/18.

[8] Cadwalladr, Carole and Emma Graham-Harrison. “Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach.” The Guardian . March 17, 2018. https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election Accessed 4/26/18.

[9] Rosenberg, 2018.

[10]  Mola, Rani. “Facebook has lost nearly $50 billion in market cap since the data scandal.” Recode. March 20, 2018. https://www.recode.net/2018/3/20/17144130/facebook-stock-wall-street-billion-market-cap Accessed 4/26/18

[11] For one of the earliest analyses of Facebook’s privacy policies see Jones, Harvey and Jose Hiram Soltren. 2005. Facebook: Threats to Privacy . http://groups.csail.mit.edu/mac/classes/6.805/student-papers/fall05-papers/facebook.pdf Accessed 4/22/18. See also Fuchs, Christian. 2014. “Facebook: A Surveillance Threat to Privacy?” in Social Media: A Critical Introduction . London: Sage.

[12] “FTC Approves Final Settlement With Facebook.” Federal Trade Commission. August, 10, 2012. https://www.ftc.gov/news-events/press-releases/2012/08/ftc-approves-final-settlement-facebook Accessed 4/15/18.

[13] For more on security and privacy see Schneier, Bruce. 2016. Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World . New York. W. W. Norton & Company.

[14] “The Interview: A guide to the cyber attack on Hollywood.” BBC. December 29, 2014. http://www.bbc.com/news/entertainment-arts-30512032 Accessed 4/27/18.

[15] “Target cyberattack by overseas hackers may have compromised up to 40 million cards.” The Washington Post . December 20, 2013. https://www.washingtonpost.com/business/economy/target-cyberattack-by-overseas-hackers-may-have-compromised-up-to-40-million-cards/2013/12/20/2c2943cc-69b5-11e3-a0b9-249bbb34602c_story.html?noredirect=on&utm_term=.2d3d9c763c06 Accessed 4/27/18.

[16] Fiegerman, Seth. “Yahoo says 500 million accounts stolen.” CNN. September 23, 2016.   http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/index.html Accessed 4/27/18.

[17] Siegel Bernard, Tara et al . “Equifax Says Cyberattack May Have Affected 143 Million Users in the U.S.” The New York Times. September 7, 2017. https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html Accessed 4/27/18.

[18] Kang and Frenkel, 2018.

[19] Rosenberg, 2018.

[20] Grewal, Paul. “Suspending Cambridge Analytica and SCL Group from Facebook.” March 16, 2018. Facebook Newsroom. https://newsroom.fb.com/news/2018/03/suspending-cambridge-analytica/ Accessed 4/15/18.

[21] Wagner, Kurt. “How Did Facebook Let Cambridge Analytica Get 50M Users’ Data?” Newsfactor. March 21, 2018. https://newsfactor.com/story.xhtml?story_id=113000078MBA Accessed 4/15/18.

[22] ISO/IEC 27040: 2015. International Organization for Standardization. https://www.iso.org/obp/ui/#iso:std:iso-iec:27040:ed-1:v1:en Accessed 4/12/18.

[23] On the ethics of social media data collection see Richterich, Annika. 2018. The Big Data Agenda: Data Ethics and Critical Data Studies (Critical Digital and Social Media Studies Series). University of Westminster Press.

[24] “Facebook CEO Mark Zuckerberg Hearing on Data Privacy and Protection.” C-SPAN. April 10, 2018. https://www.c-span.org/video/?443543-1/facebook-ceo-mark-zuckerberg-testifies-data-protection%20Accessed%204/15/18 Accessed 4/26/18.

[25] Zuckerberg, Mark. Facebook Post. March 21, 2018. https://www.facebook.com/zuck/posts/10104712037900071 Accessed 4/15/18.

[26] “Facebook Apologizes for Cambridge Analytica Scandal in Newspaper Ads.” March 25, 2018. TIME . time.com/5214935/facebook-cambridge-analytica-apology-ads/ Accessed 4/15/18.

[27] “Facebook CEO Mark Zuckerberg Hearing on Data Privacy and Protection.” C-SPAN. April 10, 2018.  https://www.c-span.org/video/?443543-1/facebook-ceo-mark-zuckerberg-testifies-data-protection Accessed 4/15/18 .

[28] Dennis, Steven T. and Sarah Frier. “Zuckerberg Defends Facebook’s Value While Senators Question Apology.” Bloomberg. April 10, 2018. https://www.bloomberg.com/news/articles/2018-04-10/facebook-s-zuckerberg-warned-by-senators-of-privacy-nightmare Accessed 4/27/18 .

[29] Schroepfer, Mike. “An Update on Our Plans to Restrict Data Access on Facebook.” Facebook Newsroom. April 4, 2018. https://newsroom.fb.com/news/2018/04/restricting-data-access/ Accessed 4/22/2018.

[30] For a broader discussion of social media and political advertising see Napoli, Philip M. and Caplan, Robyn. 2016. “When Media Companies Insist They’re Not Media Companies and Why It Matters for Communications Policy” https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2750148 Accessed 4/22/18.

[31] Goldman, Rob and Alex Himel. “Making Ads and Pages More Transparent.” Facebook Newsroom. April 6, 2018. https://newsroom.fb.com/news/2018/04/transparent-ads-and-pages/ Accessed 4/22/2018.

[32] King, Gary and Nathaniel Persily. Working Paper. “A New Model for Industry-Academic Partnerships.” April 9, 2018. https://gking.harvard.edu/partnerships Accessed 4/22/2018.

[33] Member of the House of Representatives took a more aggressive line of questioning with Mark Zuckerberg. For example, Representative Joe Kennedy III poked holes in Facebook’s persistent claim that Facebook users “own” their data by pointing to the massive amount of metadata that Facebook generates (beyond what the user directly generates) and then sells to advertisers. See Madrigal, Alexis C. “The Most Important Exchange of the Zuckerberg Hearing.” The Atlantic . April 11, 2018. https://www.theatlantic.com/technology/archive/2018/04/the-most-important-exchange-of-the-zuckerberg-hearing/557795/ Accessed 4/27/18.

[34] For the evolution of Facebook’s privacy policy see Shore, Jennifer and Jill Steinman. 2015. “Did You Really Agree to That? The Evolution of Facebook’s Privacy Policy” Technology Science. https://techscience.org/a/2015081102/ Accessed 4/22/18. For a broader conversation around privacy and human behavior see Acquisti, Alessandro. 2015. “Privacy and Human Behavior in the Age of Information” Science . Vol. 347. Pp. 509-514.

[35] For more on European privacy law see Voss, W. Gregory. 2017. “European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting” Business Lawyer , Vol. 72. Pp. 221-233.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.

About the Author

Dr. Iga Kozlowska is a sociologist and a privacy professional currently working in the technology industry. Iga's expertise in international technology issues is grounded in the unique perspective of a scholar and practitioner. Fascinated by the global digital economy and information governance, Iga is also interested in cybersecurity and is an Associate of the International Information System Security Certification Consortium, the world's leading cybersecurity and IT security professional organization. Iga completed her PhD in sociology at Northwestern University in 2017. Her dissertation research focused on the transnational diffusion of historical memories as it has impacted European integration since 2000. Iga received the US Fulbright Award (Poland 2015-2016) in recognition of the contributions of her research to the burgeoning field of transnationalism studies and to policymakers interested in fostering international cooperation and mutual understanding. Her prior research at the intersections of public policy and nationalism has been published in Nations and Nationalism.

• Center for Global Studies
• Cybersecurity
• Disinformation
• International Policy Institute
• Social media
• North America
• Research Themes
• Technology, Security, and Diplomacy

Related Articles

JSIS Cybersecurity Report: How Should the Tech Industry Address Terrorist Use of Its Products?

Contextualizing the iPhone Encryption Debate

Countering Disinformation: Russia’s Infowar in Ukraine

Latest news.

• Q&A with Greg Guedel Ph.D. ’16
• Q&A: Undergrad Max Zuber ’25 receives Mary Gates Research Scholarship
• Task Force Student Q&A: Jennifer Swisher
• Reşat Kasaba receives award for contributions to Turkish scholarship

Related Centers

Award winner: Facebook-Cambridge Analytica Data Scandal

This case won the Ethics and Social Responsibility  category at The Case Centre Awards and Competitions 2024 . #CaseAwards2024

Author perspective

Instructor viewpoint, who – the protagonist.

Mark Zuckerberg, founder and CEO of social networking giant Facebook.

This case follows the public anger that erupted when news broke in March 2018 that the personal information of 87 million Facebook users had been accessed inappropriately by a British consulting firm, Cambridge Analytica, to create targeted political advertising during the election campaign of US president, Donald Trump.  

The scandal was the latest in a long line of data related incidents and public trust in Facebook and CEO Zuckerberg was at an all-time low. The #DeleteFacebook movement was sweeping the internet and the company’s share value declined sharply, falling 17% in two days which amounted to approximately US$90 billion in market value. The company was also facing multiple lawsuits filed against it by users and shareholders and much criticism among analysts that it could have acted sooner and more pro-actively in protecting users’ privacy. 

Facebook, now known as Meta , is headquartered in California, United States but has users across the world.

The case is set in the wake of the Cambridge Analytica scandal in March 2018, and follows the history of Facebook from its inception in 2004 to becoming one of the world’s most popular social networking sites.

Facebook needed to regain the trust of its users and redeem its reputation going forward. Although Zuckerberg apologised for the ‘major breach of trust’ the question remained, was that enough to reassure users and shareholders?

AUTHOR PERSPECTIVE 

This is the third award win for Syeda, who has previously won Outstanding Case Writer in 2019 and the Knowledge, Information and Communication Systems Management award in 2021, and the first win for Geeta. ICFAI Business School have now won 19 awards and this is the second time they have won the Ethics and Social Responsibility.

Winning the award

Geeta and Syeda said: “It is always an honour to win a prestigious award from The Case Centre!  We are glad that our case was adopted by many business schools worldwide. The impact of the Ethics and Social Responsibility category is far-reaching as it shapes the values, decision-making abilities, and leadership qualities of future business professionals.”

Case popularity

They explained: “The case deals with the highly topical issue of customer data privacy and protection and ethical business practices. Broadly, it allows instructors to bring ethical issues related to data breaches to the classroom and prepares students to speak up when confronted with such dilemmas. 

“We think this case has been so popular because it stimulates rich classroom discussions, triggers students’ analytical and problem-solving capabilities, and makes them apply their theoretical expertise in practice by presenting a real public relations crisis scenario.” 

Writing the case

Geeta and Syeda reflected: “One of the challenges was describing how the scandal was perpetrated without becoming too biased towards any entity. Writing this case required meticulous planning where we had to keep an open mind, conduct thorough research and present the ethical issues arising out of the data breach scandal clearly.” 

Case writing advice

They commented: “To begin with, a case has to have a hook, an overriding managerial issue or decision that requires immediate attention. It should create a strong and interesting learning experience for students by including contentious issues and multiple perspectives. This can be challenging as the writer needs to explore various theoretical sources and integrate his/her ideas well.  

“End the case with a decision-making scenario where students could use their analytical skills to conclude their recommendations.”

Teaching the case

Geeta and Syeda reflected: “The case works well in the classroom as it explores the causes of organisational misconduct, ethical business practices and cyber security issues. The case resonates well with students as Facebook is the most popular social media platform worldwide. 

“We observed great interest among students to learn and explore the ethical issues arising out of the data breach scandal.” 

They added: “If you are looking for a follow-up case on data breaches, check out the Data Security Breach at Virgin Media case which helps students understand the importance of information security systems in organisations and the issues arising out of a data security breach.”

INSTRUCTOR VIEWPOINT 

Discover how this case works in the classroom.

The authors

The protagonist

Educators can login to view a free educator preview copy of this case.

View all the 2024 winners

Don't miss a thing - join our case community today.

Benefits include: lower prices for teaching materials, a 50% discount on Learning with Cases: An Interactive Study Guide , royalties on case sales, free attendance at the annual Members' Case Forum, discounted case workshop places and much more!

Discover more

• Main menu News
• Crypto News
• Main menu Statistics
• Business and Workplace Statistics
• Crypto Statistics
• Cybersecurity Statistics
• Entertainment Statistics
• Finance and Marketing Statistics
• Hardware and Gadgets Statistics
• Science Statistics
• Software & Web Statistics
• Main menu Software
• Main menu Spy Apps
• Main menu Spy App Reviews
• mSpy Review
• Spynger Review
• uMobix Review
• GEOfinder Review
• Phonsee Review
• EyeZy Review
• XNSPY Review
• Spyic Review
• Spyera Review
• Main menu Social Media Spy Apps
• Best Facebook Spy Apps
• Best WhatsApp Spy Apps
• Best Instagram Spy Apps
• Best Tinder Spy Apps
• Best Telegram Spy Apps
• Best TikTok Spy Apps
• Best Snapchat Spy Apps
• Best Spy Apps
• Best Spy Apps for Android
• Main menu Best Spy Apps
• Best Keylogger Software For Windows PC
• Best Spy Apps for iPhone
• Main menu Catch Cheater
• Best Cheating Spouse Tracker Apps
• Top Boyfriend Spy Apps
• Signs Your Girlfriend is Cheating
• Main menu Phone Spy
• Best Phone Spy Apps
• Best Girlfiend Spy Apps
• Best Boyfriend Spy Apps
• Best Text Message Spy Apps
• Main menu Parent Control
• Best Parental Control Apps
• Best Parental Control Apps in the UK
• Best Parental Control Apps in Australia
• Best Parental Control Apps in Germany
• Facebook Parental Controls
• Best Parental Control Apps for iPhone and iPad
• Best Parental Control Apps for Android Devices
• Main menu Track Location
• Best Geofencing Apps
• Best Secret GPS Trackers
• Best Boyfriend Phone Trackers
• Main menu Keyloggers / Recording
• Best Keylogger Apps
• The Best Android Keylogger Apps
• The Best iPhone Keylogger Apps
• Best Secret Screen Recorder Apps
• Main menu Spy Tips and Tricks
• Is It Illegal to Spy on Someone Without Their Knowledge?
• How to Spy on Devices Connected to Your Wi-Fi
• Main menu VPNs
• What is a VPN?
• How to Hide IP Address
• Best VPN Service
• Best VPN for Business
• Main menu Best VPN Apps
• Best VPN for Android
• Best VPN for iPhone
• Best Linux VPN
• Best VPN for Firestick
• Fastest VPN Providers
• Best Cheap VPNs
• Main menu Free VPN
• Best Free VPN Services
• Best Free VPNs According to Reddit
• Free VPNs for Android
• Free VPNs for iPhone
• Free VPNs for Netflix
• Free VPNs for Torrenting
• Free VPNs Chrome Extensions
• Free VPNs for Firestick
• VPNs with Free Trials
• Best Netflix VPN
• Best Gaming VPN
• Best Gambling VPNs
• Best VPN Reddit
• The Best VPN for Streaming
• Best Twitter VPN
• Best Betfair VPNs
• Best Porn VPN
• Main menu VPN Reviews
• NordVPN Review
• ExpressVPN Review
• Surfshark VPN Review
• CyberGhost VPN Review
• Ivacy VPN Review
• PureVPN Review
• VyprVPN Review
• Proton VPN Review
• ExpressVPN Vs NordVPN
• Main menu Best VPN by Country
• Best VPNs for UK
• Best VPNs for Canada
• Best VPNs for Australia
• Best VPNs for Singapore
• Best VPNs for UAE
• Best VPNs in China
• Main menu Guides
• How Do I Hide My IP Address?
• How to Watch DStv online
• How To Watch NRL 2023 Online
• Main menu VoIP Services
• What is VoIP? The Definitive Guide to VoIP
• Main menu Wiki
• VoIP vs Landline – Everything You Need to Know
• What is a VoIP Number & How Does it Work?
• What is a Virtual Phone System & How Does It Work?
• How to Get a VoIP Number
• How to Choose a VoIP Provider
• What is ISDN?
• Call Center Technology 101
• VoIP Security Guide
• VoIP Hacking: How to Protect Your VoIP Phone
• VoIP Statistics and Trends
• Best VoIP Services
• Best VoIP Service for Home
• Cheapest VoIP Phone Service Providers
• Free VoIP Phone Number Solutions
• Best VoIP Mobile Apps
• Main menu VoIP for Business
• Best Virtual Phone Service Providers for Business
• Best VoIP for Small Business
• Best VoIP Business Phone Systems
• Best Hosted VoIP Providers
• Main menu By Country
• Best US Virtual Phone Number Provider
• Best Unlimited VoIP UK
• Best VoIP Providers in Canada
• Best VoIP Australia
• The Best VoIP Apps for Iran
• Main menu Password Managers
• Best Password Managers
• Best Password Managers for Business
• Best Password Manager in the UK
• Best Password Managers in India
• The Best Password Manager for iPhone
• The Best Password Manager Reddit Users Recommend
• The Best Password Manager for Windows
• Keeper Password Manager Review
• Main menu Business Software
• Main menu Accounting Software
• Best Accounting Software
• Best Self-Employment Accounting Software
• Best Cloud-Based Accounting Software
• Best Accounting Software to Integrate with WooCommerce
• Best Mac Accounting Software
• The Best Payroll Software for the UK
• Best Accounting Software Australia
• Main menu Project Management
• The Best Resource Management Software – Top 10 Compared for 2024
• The Best Gantt Chart Software Solutions
• The Best Workflow Management Software
• Best Project Management Software
• The Best Free Project Management Software
• Monday.com Review
• Zoho Projects Review — Best Use Cases & Testing in 2024
• ResourceGuru Review with Tests — Is It a Good Software in 2024?
• Main menu Employee Monitoring
• Best Employee Tracking Software
• Best Employee Monitoring Software For Mac
• Best Employee Time Tracking Software
• Best Employee Time Tracking Software for Windows
• Main menu Hosting
• The Best WordPress Hosting Services
• The Fastest WordPress Hosting You Can Get
• Best Cheap WordPress Hosting Services
• The Best Website Hosting Services
• Main menu CRM
• What is CRM?
• Best CRM Software
• CRM for Small Businesses in the UK
• CRM Marketing Automation Software
• Real Estate CRM Software
• CRM for Startups
• Recruitment CRM Software
• Best Free CRM Software
• Best CRM for Non Profits
• Construction CRM Software
• Automotive CRM Software
• Best CRM Insurance Software
• Best CRMs for E-Commerce Reviewed
• Best Free CRMs for Startups
• Main menu Background Check Services
• Best Background Check Software
• Best Tenant Background Check Sites
• Main menu Hiring Software
• The Best HR Software: Top 10 for 2024 Compared
• Best EOR Services for International Hiring
• Best Applicant Tracking Systems
• The Best Applicant Tracking Systems for Small Businesses
• The Best Recruitment Software
• Teamtailor Review
• ClearCompany Review
• Zoho Recruit Review
• Monday.com Recruitment Review
• Main menu Employer of Record
• Deel Review
• Multiplier Review
• Main menu Antivirus
• Best Antivirus Software
• Best Antivirus for Windows
• Best Antivirus for Mac
• Best Antivirus for Android
• Best Antivirus for Servers
• Best Lightweight Antivirus – Good Protection for Low-End PCs and Light RAM Usage
• How to Remove Spyware
• Best Spyware Detectors
• Main menu Best by Country
• Best Antivirus in Singapore
• Best Antivirus in Indonesia
• Best Antivirus in Philippines
• Best Antivirus in UK
• Best Antivirus in Canada
• Best Antivirus in Australia
• Main menu Artificial Intelligence
• A Full Jasper.ai Review
• An In-Depth Copy AI Review
• Best AI Writing Tools
• Best AI Copywriting Tools
• The 10 Best Copy.ai Alternatives Reviewed for 2024
• Main menu Crypto
• Main menu Best Crypto to Buy Now
• Best Crypto Presales
• Best Meme Coins
• Best Crypto to Buy Now
• Best Altcoins to Buy
• Next Crypto to Explode
• Best Crypto to Hold Long Term
• Main menu New Cryptos
• New Cryptocurrencies to Invest
• Best Crypto ICOs
• New Upcoming Binance Listings
• New Upcoming Coinbase Listings
• Main menu Crypto Robots
• Best Bitcoin Robots
• Bitcode Method Review
• Bitcoin 360 AI Review
• Qumas AI Review
• BitiCodes Review
• Immediate Connect Review
• Immediate Edge Review
• Immediate Fortune Review
• Ultimate Crypto Glossary in Simple Words
• Main menu Gambling
• Main menu Crypto Gambling
• Best Crypto Casino Sites
• Best Bitcoin Betting Sites
• Best Bitcoin Gambling Sites
• Best Bitcoin Slot Sites
• Best Ethereum Casino Sites
• Best Solana Casinos
• Main menu Sports Betting
• Best Sportsbooks
• Best Offshore Sportsbooks
• Best AI Sports Betting Prediction Sites
• Best Sports Betting Bots
• Main menu Casino
• Best Offshore Casinos
• Best Anonymous Casinos
• Best Casino Apps for Real Money
• Best Online Blackjack Casinos
• Best Roulette Casinos
• No-KYC Casinos
• VPN Friendly Casinos
• New Casinos
• Safe Online Casinos
• Best No ID Verification Casinos
• Telegram Casinos
• Top Plinko Gambling Sites
• Inclave Casinos
• Credit Card Casinos
• Best Payout Casinos
• Best Cash App Casinos
• Main menu USA
• Best Anonymous Online Casinos
• Best Casino Apps For Real Money
• Best Live Blackjack Online Casinos
• Reddit Sportsbooks
• California Sports Betting
• Florida Sports Betting
• Florida Online Gambling
• Missouri Online Casinos
• North Carolina Sports Betting
• California Online Casinos
• New York Online Casinos
• Main menu UK
• Betting Sites Not On Gamstop
• Casinos Not on Gamstop
• Main menu Canada
• Crypto Casinos
• Main menu Malaysia
• Online Casino Malaysia
• Malaysia Online Gambling Sites
• Malaysia Sports Betting Sites
• Main menu Indonesia
• Indonesia Online Gambling Sites
• Online Casino Indonesia
• Indonesia Sports Betting Sites
• Main menu Singapore
• Singapore Online Gamblling Sites
• Singapore Online Casinos
• Singapore Sports Betting
• Main menu Sweden
• Casino Utan Svensk Licens
• Main menu Philippines
• Online Gambling Sites Philippines
• Philippines Online Casino
• Philippines Sports Betting
• Main menu South Korea
• South Korea Online Gambling Sites
• Online Casino South Korea
• Main menu India
• India Online Gambling Sites
• Online Casino India
• India Sports Betting Sites
• Main menu Australia
• Bitcoin Casinos in Australia
• Main menu Gambling Guides
• How To Gamble Online
• How to Play Baccarat
• Blackjack Strategy
• How to Play Bingo
• How To Play Craps
• Craps Strategy
• How to Play Keno
• How To Play Poker
• Poker Cheat Sheet
• Poker Strategy
• How To Play Roulette
• Roulette Odds
• Roulette Strategy
• Main menu Gadgets
• Gadget digest
• Main menu Hardware
• Motherboards
• Main menu About
• Editorial Policy
• Why Trust Tech Report
• Meet the Tech Report Team
• Our Writers and Editors

30+ Data Breach Statistics (2024 Data and Trends)

Key Data Breach Statistics

1. malware attacks have risen more than ever before in 2023., 2. taking note of a breach can take as long as 287 days., 3. healthcare bears 30% brunt of cyberattacks., 4. a large percentage of malware comes in through email., 5. our errors as humans rear up 88% of data breaches., 6. ransomware victims doubled between april 2022 and the end of march 2023., 7. picus security sent out a message to the united kingdom fca on cybercrime., 8. data about 200 million voters was leaked out in 2017., 9. ebay was not spared from the menace, as 145 million of its records got leaked. , 10. tjx companies inc. in 2007 had a breach that carted away 94 million of its records., 11. solving an issue of ransomware can cost an average of $5.13 million., 12. it now costs $165 per capita to resolve a single case of data breach., 13. the cost of taking off data breaches from the necks of hospitals has risen to $10.93 million., 14. it cost a huge amount of $4.95 million to completely take away a data breach that lasted up to 200 days., 15. over 50% of the time spent solving a breach comes in the next year., 16. 2023 has much to bring to mind as the united states takes a large chunk of data breach cases., 17. a jumbo breach that hits 60 million records costs as much as $332 million., 18. hospitals habitually spend 64% more just on advertising after a breach hit., 19. the costliest attack standing on the web is phishing, with $4.9 million., 20. companies that are carefree on data breaches use up an average of %5.05 million., 21. persons who work within the scope of an organization are the reason for 83% of data breaches., 22. quite a large number of people started stealing data for quick money., 23. a total of 95% of records that were breached arose from the retail, technology, and government sectors in 2016., 24. picking out a case of data breach takes an average of 204 days., 25. it is much faster to identify cases using threat intelligence., 26. solving an issue of data breach with a 200 lifecycle can cost an average of $1.02 million., 27. it takes an average of 73 days to contain a case of data breach., 28. experts say that remote work has caused a rise in the number of cyber attacks., 29. as high as 62% of businesses saw a rise in cyber attacks throughout the pandemic., 30. it costs an average of $4.45 million to solve a case of financial data breach., 31. beanstalk farms lost $180 million in april 2022., 32. payments made by crypto players rose to hit $449.1 million during the first part of 2023..

Though cybersecurity awareness grows, study after study indicates escalating data breach activities against individuals and enterprises—2022 saw this sinister trend continue its upward climb globally at a record scale.

Data breach statistics show that the average cost increased by 2.6% to $4.35 million in 2022 from $4.24 million in 2021. In critical infrastructure organizations, however, the average cost of a data breach is $4.82 million . As society progresses firmly into the digital age, safely navigating its benefits and risks proves paramount.

This piece offers readers insight by examining the latest data breach statistics for 2024 and beyond. Learn crucial details surrounding prominent breach events , from root causes to victim impact spanning multiple industries. Additionally, discover expert predictions around emerging cyber threats on the horizon , along with proactive security controls organizations and private citizens can employ right now to help turn the tide against the rising data breach epidemic. Let’s dive in.

• Breaches that result from phishing take as long as 295 days to get resolved.
• Phishing attacks account for almost 22% of all cases of data breaches that happen today. 
• Cloud-based Data breaches take up a large chunk of 45% of cases .
•  Hospitals are not left out of the loop , as 30% of all data breaches occur there.
•  A whole lot of accounting records, up to 42 million, got into the hands of strangers from March to February 2022.
• Yahoo experienced its share of data breaches when an identity thief crept into its database , carting away information affecting 1 million persons. 
•  Quarter one of 2022 won’t be quickly forgotten as it recorded 817 breaches in the United States. 
• Up to 19% of planned data breaches were successful because the bad players got help from an insider . 
• Studies show that 77% of businesses do not have the skills to help them resolve data breaches. 
• Most of Facebook’s breach issues in 2019 resulted from data leakage.

Major Data Breach Statistics

There has been a rise in malware attacks today more than ever before. This is true as data shows a 2% rise in malware attacks year after year . Many experts think this trend is due to the rise of crypto-jacking and the activities related to the Internet of Things. 

Spotting a data breach took an average of 287 days back in 2021. The delay was because of the lack of security expertise and how complex IT has grown .  The complexity at which cyberattacks have grown is also one of the reasons for the lengthy time. 

Hospitals, which ought to be a place of relief for many, are not in any way spared from the risk of data theft. Healthcare in 2021 suffered a heavy blow when a data breach hit 51% of hospitals . As large as 337 breaches took place in the first half of that same year. This caused a major setback for 19,992,810 people and brought the need to tighten cybersecurity in the sector. 

Verizon’s findings show that most of the cybersecurity issues we have seen in the past were 94% from Email. These findings stemmed from real-life situations of 41,686 incidents and data breaches , reaching 2,013 over the same period. 

As humans, we are not above mistakes. Many may forget to log out from their devices, mistakenly disclose their password, or absent-mindedly click on bad links.  In one way or another, these errors open a window for bad actors to infiltrate the system and steal one’s data . A study made by Stanford University shows that human errors are what causes 88% of the data breaches we experience today. 

Bad people often inject malware to lock an individual or organization’s system, hindering access unless they pay a ransom. Records show that the number of times bad people use this antic has doubled , especially between April 2022 and March 2023

Freedom of information (FOI) was sent to the financial conduct authority of the United Kingdom, requesting the agency to look into the rising cases of cybercrime , which has been pouring in for a couple of months.  The FCA had 55 cases of material cyber issues on its desk in the first half of the year 2022 .  Several cases of cybercrime, precisely 25%, that occurred in 2022 were from distributed denial-of-service (DDoS) attacks. This was quite startling as it was just 4% at the close 2021. 

The year 2017 will remain in the minds of many citizens of the United States for a long time. Up to 200 million voter data went viral online, which brought a question mark to the whole process. 

The 2014 records of eBay got exposed to the public, causing 145 million of its data to be laid bare before hackers.

TJX, just like many others, witnessed a security breach that affected many records. As many as 94 million of the company’s records went into the hands of hackers in 2007. 

Data Breach Cost Statistics

Times are changing, and so has the cost of fixing data breaches, which has risen in no small way. Getting off a ransomware attack cost an average of $5.13 million in 2023 . This is 13% more than what it had cost last year. 

The average cost per capita in handling one case of breach is now a dollar higher than in 2022.

Healthcare has not been the same since 2020, as the cost to settle data breaches reached $10.93 million .  For 13 years and counting, it has taken the spotlight in terms of ridding of data breaches. 

Casting away a data breach that lasts up to 200 days can swallow up to $4.95 million.

Most businesses can get back 51% of the money they had spent on solving a breach of data issue in the next year.

The country, standing at $9.48, has spent the most on clearing off cases of data breaches in just 2023.  The Middle East has been following closely with the trend , with $8.07 million as its average cost. 

Mega breaches, which are as high as 60 million records in 2023, cost an average of $332 million . This is low; it was $401 million just two years ago.

Most healthcare centers will spend  money on adverts after lying low for two years . This they do to gather more clients after the dust of a data breach has settled down.

Phishing is now high in 2023, with costs taking up to $4.9 million to resolve .

Defiance to the rise of breaches does cost a business an average of $5.05 million to attend to an issue . This is way higher, with 12.6% of what companies that are mindful of attacks spend. 

Ways by Which Breaches Happen

Most breach cases in businesses are schemes plotted by persons in the system . Up to 83% of breaches in companies worldwide come from an insider.

Money is the sole reason why 95% of people take the risk of hacking into companies’ records.

Like the retail and technology sectors, the government was dealt a huge blow with attacks from data hawks in 2016 . These sectors made up 95% of the attacks over that year.

Lifecycle and Average Time of Response

Almost all companies around the globe spend an average time of 204 days sorting out cases of data breaches.

Spotting out cases can never be faster than when you use threat intelligence in our world today.

Nothing can be so frustrating as going around the case of a data breach . An organization spends an average of $1.02 million to get a data breach off its back.

Clearing off an issue of a breach in data takes most firms an average of 73 days.

Data Breach and Remote Workers

Cases of cyber-attacks have skyrocketed since the rise of remote work. The remote work trend now has its downside , with 91% of experts stating a rise in cyber attacks .

As businesses strove to get over the storm of the pandemic, data thieves heightened their means to make money for themselves.  Having a statistic of 62% was indeed a cause for alarm as most saw this as a duel of the fittest . Companies were further put on their toes in securing their database as many hunts to lay hold of it. 

Finance and Data Breach

The finance sector, like others, year in and year out, is hit by this peril called data breach . Clearing off a case costs as much as $4.45 million today.

A finance site, Bean Stalk Farms, lost $180 million to a crypto raid.

Attacks by ransomware on crypto were not in any way friendly , resulting in the loss of $449.1 million at the beginning of 2023. 

Data breaches are problems that have caused many companies to lose not just money but also the public’s confidence. It has become a cause of concern to many experts looking for the best ways to curb this menace. Many people have been victimized and left to bear the brute of these attacks. None can be said to have been spared from healthcare, delivery, or social media companies. Almost all facets of life have felt the hard blow from data breaches today. The world will see less of this menace in times to come when all hands are placed on deck.

What is the number of reported cases of data breaches?

Cases of data breaches stood as large as 5,212 when the year 2022 came to an end.

How much does it cost to clear off a case of a data breach?

It costs an average of $4.45 to get off a case of data breach from a company in 2023.

What is the highest data breach ever online in 2023?

Cam 4 was the largest volume of data spilling on the internet in March 2020. More than 10 billion records have been leached out, which has yet to be broken recently.

• Tech Republic
• Cybersecurity News
• Information Week
• Picus Security
• Ponenmon Institute
• FBI IC3 Report

Our Editorial Process

Question & answers (0), leave a reply cancel reply, write a review.

Your email address will not be published. Required fields are marked *

Jeff Beckman Tech Writer

Jeff Beckman is a content writer and copywriter with 5+ years of experience in technology. He provides enjoyable, educational content through his experience working for various publications.

Most Popular News

Latest news.

Terra Saga Continues: LFG Moves Millions in Crypto After SEC Settlement

Tron (TRX) Slumps Below Key Moving Averages – Will It Recover?

The 15th biggest crypto per market cap, Tron (TRX), has been bearish since May 13, slipping below critical moving averages. According to CoinMarketCap data, TRX has lost over 6.20% in...

Dogeverse Launch in 3 Days – Final Chance to Board This 100x Interchain Spaceship

Dogeverse ($DOGEVERSE), the world’s first multichain meme coin, raised over $15M on presale and is set to launch on DEXs in three days.  FOMO is evident on social media; early...

OpenAI Disrupts 5 Covert Influence Operations That Tried to Misuse Its AI Models for “Deceptive Activity”

Security Researchers Recover Lost BTC Password Using Roboform’s Vulnerability

ZKasino Refund Window Closes Today, Many Players Flock to Mega Dice Safe Haven

PayPal Includes Confidential Transfers to New Solana-Based Stablecoin

REGULATION & HIGH RISK INVESTMENT WARNING: Trading Forex, CFDs and Cryptocurrencies is highly speculative, carries a level of risk and may not be suitable for all investors. You may lose some or all of your invested capital, therefore you should not speculate with capital that you cannot afford to lose. The content on this site should not be considered investment advice. Investing is speculative. When investing your capital is at risk. Please note that we do receive advertising fees for directing users to open an account with the brokers/advertisers and/or for driving traffic to the advertiser website.

Crypto promotions on this site do not comply with the UK Financial Promotions Regime and is not intended for UK consumers.

© Copyright 2024 The Tech Report Inc. All Rights Reserved.

• Privacy Policy
• About Us & Our Team
• Why Trust Us