The latest Facebook data breach, which reportedly compromised the personal data of over 533 million users, including 6.1 million Indians, has once again focused attention on the social media behemoth’s apparent laxity in protecting the privacy of its users and, more importantly, lack of accountability towards them. In January, Alon Gal, chief technology officer at cybercrime intelligence firm Hudson Rock, discovered the leaked data when a user in a hacking forum advertised an automated bot that could provide phone numbers for hundreds of millions of Facebook users for a price. Now, the entire dataset, which includes details like phone number, Facebook ID, name, location, email ID, relationship status and bio, has been posted on the hacking forum for free.
Security researchers have warned that with the leaked data in the public domain, cybercriminals can use it for email or SMS spam, robocalls, extortion attempts, threats and harassment. “Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” said Gal in a tweet.
When questioned about the leak, a Facebook spokesperson sent a one-line statement: ‘This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.’ In a blog post, Facebook said the data was scraped from people’s profiles by malicious actors using their contact importer prior to September 2019.
While Facebook patched the vulnerability that had caused the leak, the same data kept resurfacing—in June 2020 and then in January 2021. Most experts concur that the recent leak does not include new user data. “While we can’t always prevent datasets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work,” said Facebook.
According to Gal, there is not much Facebook can do to help users affected by the breach, but what the social media platform could do was notify users so they could remain vigilant for possible phishing schemes or fraud.
Other experts are not yet ready to give Facebook a clean chit. “If it’s an old leak, what did Facebook do to prevent the data from being made public? They did not bother to inform the affected users. If it’s a new leak, it’s liable for not taking appropriate steps to prevent it,” says Salman Waris of legal firm TechLegis Advocates and Solicitors.
This is not the first time Facebook is in the news for a data breach. In March 2018, data of over 500,000 Indian users was allegedly compromised, UK-based Cambridge Analytica had accessed information of about 87 million users globally. Facebook had vowed to crack down on mass data-scraping at the time. Yet, in December 2020, reports surfaced that a bug had exposed the personal information of the users of Facebook-owned Instagram.
India is among the biggest markets for Facebook and its subsidiaries such as WhatsApp and Instagram. According to government data, India has 530 million WhatsApp users, 410 million Facebook users and 210 million Instagram users. Yet, the country does not have a law to protect user privacy, despite the Supreme Court stating that the Right to Privacy is a fundamental right. The Personal Data Protection Bill has been pending in the Lok Sabha since 2019. Pending its legislation, the Information Technology Act, 2000, and the Information Technology (Intermediary Guidelines) Rules, 2011, serve as the legal framework to adjudicate these cases, which several experts have said are grossly inadequate.