Facebook downplays data breach in internal email
An internal Facebook email, accidentally sent to Belgium-based Data News, has revealed its strategy for dealing with the leaking of account details from 533 million users.
It suggests the social network expected more such incidents and was planning to frame it as an industry problem that was a normal occurrence.
It also said the media attention would die down.
As a result it planned to issue limited statements about the issue.
Facebook confirmed the memo was genuine and told the BBC: “We understand people’s concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it.”
Later, a spokesperson added that LinkedIn and Clubhouse had also faced “data scraping” issues.
Data from 533 million people in 106 countries was published on a hacking forum earlier this month.
Facebook said the data was old, from a previously reported leak in 2019. It has denied any wrongdoing, saying that the data was scraped from publicly available information on the site.
But it now faces a probe from the Irish data commissioner about whether it broke GDPR rules, and a mass legal action from affected EU citizens, who had a range of personal data leaked, including phone numbers.
The email published by Data News is dated 8 April – several days after the story broke. It said press coverage on the issue from “top tier global publications” had already declined by 30%.
Reputation over users
It provided a summary of how the story had been reported to date.
“Publications have offered more critical takes of Facebook’s response framing it as evasive, a deflection of blame and absent of an apology for the users impacted,” it noted, adding that the pieces were often driven by quotes from “data experts or regulators, keen on criticising the company’s response as insufficient”.
In a section headed “Long-term strategy”, Facebook said it did not plan additional statements on the issue. “We expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalise the fact that this activity happens regularly,” it said.
It added that its plan would include a blogpost talking about its anti-scraping work, that offered transparency on how the firm was dealing with the problem.
Data News also questioned Facebook’s assertion that the problem was discovered and resolved in August 2019, pointing out that ethical hacker Inti De Ceukelaire warned the company two years earlier that it was possible to find someone’s phone number via Facebook.
Mr De Ceukelaire told the BBC that the leaked memo “revealed what we have suspected for a long time but now it is there in black and white – Facebook cares more about its reputation than informing its users”.
He said that Facebook had attempted to “spin the problem”.
“At first they were completely silent, then they gave the press one sentence about how the data was old and when that didn’t work they started talking about how it was all about scraping rather than Facebook’s own system.”
He added that the data was not old, because phone numbers usually do not change, and also that the original privacy settings for phone numbers were extremely confusing. – bbc.com