Facebook is said to be shopping for a security company

The social network giant Facebook is speculated to be close to acquiring a cybersecurity company to shore up its of data protection capability.

In the wake of a massive security breach, when 29 million users’ data were compromised, Facebook is desperately scrambling for a quick and effective solution. As it emerges, one way of doing so, in addition to working with the FBI, is shopping. The Information reported that according to four separate sources, Facebook has approached several unidentified cybersecurity companies for acquisition. One source told the online technology publication that a deal with one of the target companies could be reached before the end of the year.

A professional security solution sourced from outside could help refresh Facebook’s internal measures that might have overlooked vulnerabilities. The leak in late September, which initially was thought to have affected up to 50 million users, resulted from a coding loophole in the “View As” feature, which was attacked by an unknown party disguised as a 3rd-party marketing company. Facebook later clarified that about 30 million users actually had their access tokens stolen, but the attackers failed to gather information on 1 million of them.

On top of the technical expertise to be acquired, a high-profile purchase of a security company would also improve the perception that Facebook is serious about safeguarding user data. The company’s reputation has been repeatedly battered since the Cambridge Analytica scandal, prompting it to go more aggressive with its PR strategy. After recruiting a high calibre ex-politician to its team, adding a professional security solution to its toolkit would do no harm.

 

Shareholders start wrestling Zuckerberg for Facebook control

Five Facebook shareholders are fighting back against Mark Zuckerberg’s control of the company he founded after several scandals have plummeted share price.

Citing privacy outrages, political influence, the proliferation of fake news and data leaks, the asset managers are hoping to raise support to remove Zuckerberg as Chairman. The reputation and credibility of Facebook as a business which can effectively operate in the digital economy has certainly been called into question, though considering Zuckerberg himself control 60% of the Facebook voting rights, it might prove to be a difficult battle.

New York City Pension Funds, Illinois state treasurer Michael Frerichs, Rhode Island state treasurer Seth Magaziner, Pennsylvania treasurer Joe Torsella, and Trillium Asset Management are the troublesome shareholders, though the filing should be viewed as nothing more than symbolic. With Zuckerberg’s control over Facebook coming close to a dictatorship, it is unlikely anything will change. That will not prevent investors from complaining however.

At the time of writing, the Facebook share price was standing at $159, having started the year at $181 and reaching a peak of $271 in July. This is the lowest since July 2017, a period which has seen Facebook get grilled by politicians over fake news and political influence, Cambridge Analytica dragging the company down and data breaches leaking personal information to nefarious actors. While Facebook will always be a target for hackers and the bottom-dwellers of the internet, the shareholders are calling into question Zuckerberg’s ability to manage the business.

“Facebook plays an outsized role in our society and our economy,” said New York City Comptroller Scott Stringer. “They have a social and financial responsibility to be transparent – that’s why we’re demanding independence and accountability in the company’s boardroom.

“We need Facebook’s insular boardroom to make a serious commitment to addressing real risks – reputational, regulatory, and the risk to our democracy – that impact the company, its shareowners, and ultimately the hard-earned pensions of thousands of New York City workers. An independent board chair is essential to moving Facebook forward from this mess, and to re-establish trust with Americans and investors alike.”

This is not the first time Zuckerberg has faced a challenge to his reign. Three of the aforementioned funds also supported a proposal in 2017 to create an independent board, though many of the largest shareholders voted against the proposal. This new filing, which also suggests the creation of an independent board chair to improve oversight, is set to feature at the 2019 AGM, with the troublesome shareholders stating they will be drumming up support over the coming months.

What is worth noting is this is not a revolutionary idea. Most other companies, especially multinationals, appoint an independent board to oversee operations and maintain transparency for shareholders. It is common business practice. Perhaps the steamroller success of Facebook and the continuous supply of profits have convinced shareholders this is not necessary at Facebook, but the declining share price is certainly something to worry about. Facebook is under pressure from numerous different governments, consumer groups and regulators, and Zuckerberg doesn’t seem to want to do much about it.

The UK is an excellent example of inaction from Zuckerberg. After ignoring numerous calls to appear in-front of a Parliamentary committee, the UK Government has threatened Zuckerberg with a summons should he ever set foot in the country again. It is difficult to imagine any other multi-national business taking this approach to criticism and condemnation.

While the filing might be nothing more than a PR statement, it is clear the shareholders are not happy with the way Zuckerberg is running the business. Unfortunately, it might appear the socially-incompetent Zuckerberg is under little pressure to do anything about it considering his voting power. Ironically, the social media giant seems the closest thing to a dictatorship the US has to offer the world.

50 million accounts breached at Facebook, but Europe needs to find the bad guy

Details of 50 million accounts have been lost to unknown nefarious individuals, but Facebook might get away with just a heavy hand-slapping from European watchdogs until the full consequences have been identified.

Last week, data from 50 million Facebook accounts was lost due to a vulnerability in the ‘View As’ feature, though as the incident was reported in the 72-hour window set forward by the European Commission, the social media giant might avoid serious penalties under GDPR. The maximum fine would be $1.63 billion.

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” said Guy Rosen, VP of Product Management. “We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.”

Attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature which allows users to view their profile from the perspective of another. This vulnerability allowed the attacker/s to steal ‘Access Tokens’, allowing them to hijack user accounts. Access tokens are the equivalent of digital keys keeping people logged in to Facebook so they don’t need to re-enter their password each time they use the platform.

While this might seem like a significant oversight from the Facebook security, it might just avoid a significant fine. The incident was reported to the relevant authorities after two-days, well within the required window, while the consequence of this incident is also unknown for the moment. As part of GDPR, those companies who report an incident within the required window and who are deemed to be compliant with investigators, will not receive the heaviest fines. The objective here is to remove the stigma of self-reporting, essentially rewarded those who come clean and do not try to hide the incident.

The consequence of the breach is also an important factor. Until misuse of the data can be identified, political persuasion for example, watchdogs are unlikely to be heavy handed. Using both the consequence and compliance with investigators as reasons to reduce the fine are important factors in ensuring the industry works with regulators. The less time these watchdogs spend policing the industry and searching for potential incidents means more time can be spent proactively making security features and processes more resilient. If watchdogs appear rational in their approach to punishments, industry will be much more of an ally.

“The time between detection and public notification on this one may be one for the record books, likely driven as much by risk to reputation and a wary eye on some of the large fines levied lately, as much as by GDPR and other compliance requirements,” said Dan Pitman, Principal Security Architect at Alert Logic. “New features increase the risk that vulnerabilities like this can become part of the live application, and Facebook is known to implement new features at a high rate, having been acknowledged as the leader in agile web development practices in the past.

“This ‘continuous delivery’ of new features, combined with the modular nature of that delivery, increases risk that vulnerabilities like this can become part of the live application. Testing all of the myriad combinations of the sometimes hundreds of components, or modules, that can interact is the challenge.”

The very path to ensuring a more engaging platform might well be what is causing Facebook problems, but in the pursuit of relevance, the Facebook business model might be undermined. Just as with the Cambridge Analytica scandal, users might be discouraged from putting additional information onto the platform, or even encouraged to remove some. At first, this will not have a significant impact on Facebook, but straws piling up on the camel’s back will eventually cause some damage.

While exiting users might be incrementally impacting the Facebook business, the advertisers might start looking at the platform as well. This is not to say people will stop advertising on Facebook, but the more incidents impacting the brand and the more stories of people becoming disengaged might have an influence. Facebook might have led the way when it comes to hyper-targeted advertising but others are catching up. Google is arguably the only platform which can compete toe-to-toe with Facebook, but it doesn’t have the suspect clouds lurking overhead. Twitter has upped its game, Microsoft’s Xbox platform is one worth keeping an eye on, as is AT&T’s advertising business Xandr. Even when you look at companies like Sky, the AdSmart platform offers an incredibly targeted offering. These security breaches might start to weigh heavy considering there are other options out there.

Another very important factor to consider with this incident is GDPR. Since being passed in May, this is the first major incident to test the resiliency and credibility of the rules. How European investigators, currently being led by the Irish data protection watchdog, react will set precedent and also impact the way which other companies view the rules. The next few weeks are very important for Europe in terms of validation.

The issues which the regulators are facing at the moment are consequence and bad guys. To make an appropriate ruling, demonstrate the importance of security and dish out the appropriate fine, there needs to be someone or something to point the naughty finger at.

“Based on information available, a video uploading feature implemented in July of last year exposed this feature to a flaw that allowed attackers to impersonate other user accounts and effectively obtain full access to their Facebook profiles,” said Greg Foss, Senior Manager of Threat Research at LogRhythm. “It appears that attackers are able to access the accounts of ‘friends’ or those already connected to the compromised account.

“If that’s true, it may be possible to trace the attacks back to a single point of origin, given the nature of how the attack spreads to other accounts. That said, the origin account will most likely not be that of a real Facebook user, so determining an individual or group behind this will take some digging.”

When a bad guy has been found, the threat becomes real and there are tangible consequences. This is when the appropriate punishment can be justifiably dished out, while also maintaining a positive relationship with industry, and the dangers of the digital economy can be effectively communicated to the general public. This will scare Facebook more than anything else.

Fines are okay, they are a one off hit, but negative PR and public outcry will mean less people engage with the Facebook community. This will have an impact on the bottom line. Managing this negative impact will be significantly more important than any fine dished out by the European Commission.

Could a security breach de-rail the magenta express train?

T-Mobile, ably led by wild-eyed CEO John Legere, has been causing chaos throughout the US wireless market, but a data-breach could impact the brands credibility in the eyes of customers.

Customer opinion is a fickle thing. It can sometimes only take a minor incident and all of a sudden the brand is as attractive as a turd in a washing machine. T-Mobile has been generating some serious momentum over the last few years, readily stealing subscribers from the likes of AT&T and Verizon by undercutting tariffs, though how much of an impact with a data-breach have on brand perception?

“Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information,” T-Mobile wrote in a statement to customers.

“On August 20, our cyber-security team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised. However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”

According to reports and rumours across the industry, the breach could have left as many as 2.5 million subscribers exposed to the attack. According a T-Mobile spokesperson talking to Motherboard, the incident occurred after hackers compromised company servers through an API, although no further technical details have been disclosed. The attackers are believed to be international.

This is not the first time T-Mobile US has been exposed for security flaws. In May, researcher Ryan Stephenson found a bug which allowed external parties to access customer information just using a phone number. An API used by T-Mobile staff allowed them to look up customer details simply by entering their phone number, though it was not password protected meaning anyone could take advantage of the short-cut if they found the sub-domain. The oversight unveiled a customer’s name, address, billing account number, and in some cases, information about tax identification numbers, as well as security question information.

Every company will have flaws in the system, the perimeters are simply too vast nowadays making the concept of 100% secure almost impossible. The issue here is about credibility; how much of an impact will the news have on customers perception of T-Mobile as a brand and a trusted guardian of their personal information?

As mentioned before, customers are very fickle, especially when much of the attraction to a brand is based on price. Some customers might be asking a simple question now; are a few saved dollars each month worth the risk of my personal information being exposed? T-Mobile has been excellent at hoovering up new subscribers over the last couple of years, but this has been due to highly aggressive marketing moves focused on acquisition. The retention capabilities of the brand have not genuinely been put to the test.

With data protection and privacy high on the agenda following several scandals, most notably the Facebook Cambridge Analytica saga, customers are becoming more sensitive to such incidents. Whether this is enough to de-rail the magenta steam train remains to be seen, but it does ask questions over the company’s credentials.

ICO report shows UK is starting to take privacy and data protection seriously

The UK Information Commissioner’s Office has released its annual report for 2017/18 which hints the UK is starting to present the right attitudes to privacy and data protection.

Privacy and data protection are areas of the technology world which everyone seems to deeply care about, but few seem to want to do anything. Consumers are constantly shocked about the lack of protections offered to their personal information by leaky organizations, but the same consumers are always more than willing to hand over data when it means avoiding payment. It has seemed to be a bugbear of convenience for the consumer, but perhaps this report indicates these attitudes are changing.

“This is an important time for privacy rights, with a new legal framework and increased public interest,” said UK Information Commissioner Elizabeth Denham. “Transparency and accountability must be paramount, otherwise it will be impossible to build trust in the way that personal information is obtained, used and shared online.”

Denham and her team do of course have a challenging task. In the mission statement of the Information Commissioner’s Office some very lofty goals are listed, increasing the public’s trust and confidence in how data is used for instance, or improving standards of information rights practice across industry, though winning this battle will rely not only on companies taking their responsibilities more seriously, but also consumers realising it is also their duty to manage their own personal data. Sceptics would argue neither of these ideas are being taken seriously at the moment, though optimists might point towards the statistics.

The report claims 235,672 calls were received by the ICO’s helpline, an increase of 24.1% year-on-year, while 30,469 live chats were requested, up 31.5%. The caseload from 31 March 2018 to the same date in 2018 has increased from 115 to 3526. Over the course of the year, 21,019 calls were focused on data protection, a 15% increase from 2017, with most people concerned about subject access (39%), the disclosure of data (16%), its accuracy (11%) and securing the right to prevent processing (9%). The sceptics might still have a case that privacy and data protection is not being taken seriously, the fact enquiries and complaints are heading upwards suggests the general public and businesses are starting to acquire a new appreciation for how the digital economy works, as well as the risks.

On the data breach front, the number of self-reported cases is also on the up. 3,172 incidents were reported to the ICO over the course of 2017/18, a 29.6% increase. The majority of these case did not result in a fine, there is wiggle room if a company is able to demonstrate its approach to security could be deemed stringent, though healthcare is proving to be the most porous in the UK, accounting for 36% of the incidents.

Security has seemingly never been a top priority for many organizations, except when trying to generate PR points, though the same could be said of the consumer. The last 12-18 months has seen a change in attitude towards personal information, consumers are more sensitive about giving information out freely, though there does seem to be a lack of understanding of how terms and conditions work in the app economy. How many realise that by playing Clash of Clans, the user is effectively handing over ownership of a lot of personal information?

Awareness is only one area of the industry which needs work, as the ICO also points out there are still a few risks on the horizon. There is still uncertainty over the final wording of the upcoming Data Protection Bill and its enactment, while operational changes necessary to regulate GDPR will cause issue, as will introducing a new funding regime for data protection work.

A lot is changing on the regulatory front, but the worrying question about bureaucrats still remains; are they able to keep up the pace and sheer breadth of change which is constantly taking place in the technology world?

UK Government shows some teeth on cyber security defences

The UK Government has finally had enough of the data breaches which have been popping up over the last 18 months, threatening businesses with a fine up to £17 million if defensive standards are not met.

New sector-specific regulators will be set up to assess the individual needs of those sectors which are deemed critical to the UK, such as energy, transport or healthcare. The National Cyber Security Centre will publish new guidelines today (January 30) which will roughly outline the rules and expectations, though businesses will be encouraged to actively engage with the newly-formed regulator.

“Today we are setting out new and robust cyber security measures to help ensure the UK is the safest place in the world to live and be online,” said Margot James, Minister for Digital and the Creative Industries.

“We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”

While the majority of data breaches do occur in the US, there are of course examples everywhere else as well, with the UK hosting its fair share. In November, shipbrokers Clarkson warned shareholders of an upcoming breach as it refused to pay a ransom to the hacker, Deloitte suffered a breach as it was believed the firm did not have two-step verification set up and BUPA suffered a leak affecting 500,000 customers on its international health insurance plan.

Moving forward, incidents would have to be reported to the regulator who would assess whether appropriate security measures were in place. These regulators will also have the power to issue legally-binding instructions to improve security, and hand out fines. A £17 million fine is certainly a deterrent, though it won’t be handed out willy-nilly. Companies which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack, will not face a fine.

Interestingly enough, that irritating ‘up to’ qualifier has appeared again. £17 million is the maximum fine which can be placed on an organization, but there has not been any guidance about how the amount will be assessed. The guidance from the National Cyber Security Centre will possibly offer more detail, but for the moment we’ll have to wait for the formation of the new regulators. These watchdogs might well be feisty, or they might be just another bloated government body.

Cute pug dog sleep rest in the bed, wrap with blanket and tongue sticking out in the lazy time

Are you data breach fatigued?

Data breaches are nothing new – quite the contrary – in fact their very frequency makes it likely that we’re fatigued to the point of indifference by the number of leaks which are surfacing.

Knowing the value of money is a lesson parents have been teaching children for years, but how many are teaching the value of personal information? If you do not know the value of something, can you actually care when it has been lost?

Despite what many people will say, the digital economy is not quite with us yet. Or at least not in the sense which most would want. Whether it is paying for a newspaper with coins, or using your Oyster card to get onto the tube, or flagging down a Black Cab in central London, there are still those around who are embracing the old ways.

We’re in the middle ground right now, where the idea of using information as a currency is a novelty, and because it’s still a novelty, no-one really understands it. If no-one understands it, then no-one really appreciates the dangers. Finally, if no-one really appreciates the dangers, how do we adequately protect ourselves.

This lack of understanding will lead us to leave too much personal information out there, but it will also mean we do not appreciate the damage which can be done through data breaches and leaks. How often are you paying attention to news stories about companies losing data?

Telecoms.com is guilty of this. We do not to cover all data breach stories because there so many of them. It’s not always engaging content because it happens so much; we are breach fatigued. And we suspect many in the general public feel the same as well.

As a disclaimer, we cannot claim credit for the term breach fatigue; credit has to be given to Trend Micro’s VP of Security Research Rik Ferguson who raised the idea to us in a conversation a couple of weeks ago, but in light of the Equifax meltdown, it is an interesting idea to raise.

Did the data breach at Equifax get anywhere near the same attention as similar incidents in recent months? Or how about the one at the InterContinental Hotels Group in February? Or Verifone in March? What about the Taringa breach where more than 28 million records were exposed?

If it was a bank we would in a state of hysteria. This is our money which they are messing around with. But this is supposedly the beginning of the digital economy. We should be just as incensed by the exposure of our personal information as this is apparently the new currency of the connected society. Does this difference devalue our personal information?

It’s a vicious circle we currently find ourselves in. If we are not bothered by breaches, it implies we do not value our personal information that much. If we do not value our personal information that much, companies are less inclined to protect it as stringently. When we become desensitised to breaches, companies will start to cut corners; they will soon realize there are fewer consequences. A little less will be spent here, a little bit more risk taken there. The number of breaches will increase, and we will care less. It’s a worrying trend to be involved in.

The big problem is we do not yet know the consequences of data breaches. If a bank loses our money, we know what the consequences are there, but what about personal information? What is there to lose? We haven’t humanized the consequences of data breaches yet. With the Equifax breach 143 million records were exposed, but right now that is 143 million faceless individuals. How do you associate pain with anonymity?

At the moment, people are living in a blissful ignorance of a problem which is everywhere. Perhaps we are losing control of security because people are becoming fatigued by the breaches which are created by a lack of attention.

Every time something is done to correct a problem it is because someone has been punished. There is a human element to the error. Right now we are not seeing the human cost of data breaches, but will the number and depth of these data breaches increase until we do?