In the last few months, the world’s most popular social network has faced several problems when it comes to data protection. In July of this year, the Information Commissioner’s Office (ICO) in the UK imposed a £500,000 fine on Facebook for its implication in the Cambridge Analytica case. This was the maximum possible fine, given that the incident occurred before the implementation of the GDPR.
Now, a new data protection scandal has rocked the Internet giant. Last Friday, as Guy Rosen, VP of Product Management explained, almost 50 million accounts were exposed to an attack that happened on Tuesday September 25. The attack was made possible thanks to a vulnerability in the video uploading function that also affected the “View as” function, that allows people to see what their own profile looks to other users. This vulnerability would have allowed the attackers to steal users’ access tokens – a kind of key that means that users don’t have to reenter their passwords every time they access the site. Theoretically, with these tokens, an attacker could gain access to any third-party app that uses Facebook to log in.
Facebook, the initial response to the attack
It didn’t take long for Facebook to react – they notified the Data Protection Commission (DPC) in Ireland, where the company’s European headquarters are located. Under the rules of the GDPR, a company is obliged to inform of a data breach within 72 hours of its discovery. However, the DPC has said that it needs more information about the attack, such as the number of European users affected and the risk that they face, in order to carry out their investigation.
Since the incident happened after the GDPR came into force, the social network could face a fine of up to 4% of the annual worldwide turnover of the preceding financial year, which, in the case of Facebook, would be $1.63 billion (€1.4 billion). But this economic sanction isn’t the only repercussion; we can also add the reputational damage that the firm will suffer, another key aspect in this kind of incident. Many users will lose confidence in the company thanks to this data breach, and this loss of confidence may turn into a loss of clients and money.
Personal data, fuel for companies
There’s no doubt that personal information is power, and means serious money. How companies process and use this data is varied and sophisticated, and is very lucrative. Business of this kind is very simple: we hand over information in return for a service. But the service is paid for with our personal data. And organizations are responsible for looking out for our safety when it comes to possible cybercrimes whose ultimate goal is to compromise our privacy, such as phishing, digital identity theft, or the exploitation of unpatched vulnerabilities, as was the case in this latest incident.
With all of this in mind, it seems that it is now easier than ever to be the victim of a cyberattack. While this is true to a certain extent, it is also true that prevention, detection, response and remediation systems are more and more efficient. Combining, as is the case with Panda Adaptive Defense, solutions and services to optimize protection, reduce the attack surface, and minimize the impact of these threats.
And the fact is that, with the number of documented glitches and vulnerabilities – now up to 20,000 cases, a 38% increase compared to five years ago – the first thing to bear in mind is limiting the attack surface. At tech giants such as Facebook, this may seem like a pipe dream. But keeping confidential information safe from theft or data kidnapping – even if it’s an exorbitant amount, as is the case with the 50 million Facebook profiles – today it is possible thanks to solutions such as Panda Patch Management, the new module of Adaptive Defense, that reduces the complexity of managing patches and updates in operating systems and hundreds of third party applications.
What’s more, Panda Patch Management helps companies to comply with the accountability principle. Many regulations such as GDPR, HIPAA and PCI, force organizations to take the appropriate technical and organizational measures to ensure proper protection of the sensitive data under their control, as is the case with Facebook. Thanks to real time updates, this module provides visibility of the health of endpoints in terms of pending vulnerabilities and updates for the system, allowing it to get ahead of exploits of these vulnerabilities.
How to protect your company
- Hackers exploit vulnerabilities in unpatched programs. Keep your software and devices up-to-date.
- Having an automatic vulnerability detection solution reduces the possibility of suffering a security breach by up to 20%.
- Get absolute control of personal data and protect your pocket: with the GDPR, correct, speedy management by the DPO will save you economic sanctions and reputational damage.
- The ability to efficiently and quickly compile detailed reports with the information about an incident of this type – how, when, and how much – is very important to facilitate the work of data protection agencies. The module Panda Data Control allows you to discover, audit and monitor unstructured personal data on the endpoints in your company.