Facebook does not plan on notifying the half-billion users that were affected by its recent data breach.
Last week, Business Insider reported the data includes personal information of 533 million Facebook users from 106 countries, including more than 32 million records on users in the U.S. 11 million on users in the U.K., and 6 million on users in India. The data also includes phone numbers, Facebook IDs, full names, locations, birthdates, bios and some email addresses. A Facebook spokesperson said the data had been scraped due to a vulnerability patched in 2019. Insider also attempted to reach the leaker through the messaging app Telegram but did not get a response.
The Facebook spokesman said the social media company was not confident it had full visibility on which users would need to be notified, and took into account that users could not fix the issue and that the data was publicly available in deciding not to notify users, according to Reuters.
“That failure to notify individuals affected by a breach is even considered a reasonable option demonstrates the ground we still need to cover with respect to the cultural expectations we place around digital platforms, and the standards we hold them to," says Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers. "In the physical market, under no circumstances would we expect that if we placed a valuable personal asset in the trust of a third party – and make no mistake, our personal data and privacy are exceptionally valuable – that we would not be notified if the integrity of that item had been compromised while in their care.”
Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, explains, “Facebook isn't known for championing privacy, and this latest incident is yet another example that further damages their brand. It is irresponsible not to notify customers that their personal information may have been compromised, and given the 2019 FTC ruling requiring notification, Facebook should have better visibility into their data and how it is used. The fact that Facebook lacks this ability is a failure in their security monitoring. This incident highlights the need for breach notification requirements to have teeth and steep penalties. If an organization doesn't have the instrumentation to determine the scope of data loss, there should be additional penalties.”