Facebook announced that it experienced a breach this week that lost 50 million users' data[1]. Ironically, the breach happened in part due to exploited bugs in three features developed to give users more control over their privacy[2].
Some quick key lessons to take away from this breach:
- This is just the beginning of breaches in the platform economy: It is easy to forget just how many users Facebook has now. In Q2 of 2018, Facebook had 2.234 billion active worldwide users[3]. In truth, 50 million users is just a small fraction of their overall users. However, the platform economy of today concentrates users and their data to a few mega-firms that become prime targets for attack. If criminals rob banks because "that's where the money is," then hackers will attack platforms in the data economy since "that's where the data is." Large concentrations of data are hard to resist.
- These features were created in a rush to show Facebook's commitment to greater privacy: After spending most of 2018 pretending it had not operated with scorn for user privacy in the 10-plus years since its inception, Facebook promised a newfound commitment to transparency and privacy. Those promises required follow-through, requiring Facebook to release several new features for end users. Companies frequently rush to publish new features -- in fact, an old Facebook motto was "move fast and break things" -- but this is not an excuse to forgo security tests or controls. In the age of the customer, new features are fundamentally expected to provide secure and safe experiences, not just new functionality. Had Facebook cared about privacy before Cambridge Analytica's whistleblower made the news, these controls may not have been deployed with