News Insights: 533 million Facebook users’ phone numbers, personal information exposed online, report says

The story was originally Tweeted by Alon Gal, CTO of security firm Hudson Rock.

News Insights:

Garret Grajek, CEO, YouAttest:

“What is easy to miss when we see a breach of this magnitude of a global corporation is that the hackers are NOT targeting the large brand names like Facebook.  There is no question that Advance Persistent Threat (APT) hacks are devised and targeted at the ‘brass ring’ enterprises like Facebook – but we have to remember that the hackers are running scans across all of our systems. To this end, we all have to be diligent that we are monitoring our system and implementing best practices.  As the Cyber Kill Chain details, hackers will be executing reconnaissance on our systems and enumerating our assets. Once this occurs, the hacker will then penetrate our systems and attempt lateral movement and privilege escalation. It is in these steps where a comprehensive and updated identity governance practice can spot an attacker who is attempting to change account privileges to enable the compromised accounts to move around the enterprise, find crucial PII/PHI data, and then exfiltrate it. Products and practices that can identify and then alert the enterprise about account breaches are crucial to meeting not only compliance, but to achieving enterprise security.”

Saryu Nayyar, CEO, Gurucul:

“This is a huge blow to Facebook. Leaking the personal data of 533 million Facebook users is a data breach of massive significance and consequence. The fines alone could literally cripple the company. 11 million of the users whose data was exposed are in the UK. Under GDPR penalties, Facebook faces a maximum fine of £17.5 million or up to 4 % of their total 2020 global turnover – whichever is higher. The UK fine alone could set Facebook back $3.4 Billion.  Further, over 32 million records are US users. The California Attorney General can seek civil penalties of $2,500 per violation of the CCPA (California Privacy Protection Agency). So, depending on how many of those users are in California, Facebook could be looking at additional fines in the billions. All in all, a very bad situation for Facebook and as usual, completely avoidable. The data breach occurred because of a vulnerability that the company patched in 2019. Facebook obviously needs to improve the company’s maintenance processes to reduce risks from known vulnerabilities.”