Facebook’s 6-Million-User Breach A Frightening Reminder To Retailers About Data-Sharing Partner RisksWritten by Evan Schuman
Retailers who worry about data and PII security issues were reminded Friday (June 21) that they have to worry about not only about their own systems, but the security mechanisms of every data-sharing partner. And given the social media goals of most chains, the fact that it was Facebook fessing up to a 6-million-user data leak didn’t help their nerves.
It didn’t help matters that Facebook said it discovered the problem the week of June 10, fixed it within 24 hours but didn’t reveal the problem until late in the day on June 21. (Want to bury news? Release it at 4:50 PM on a Friday in late June.) Reuters quoted an unnamed Facebook spokesperson attributing the delay to “a company procedure stipulating that regulators and affected users be notified before making a public announcement.”
It’s not clear how many “affected users” were notified or when, but given the very public nature of Facebook and the fact that nothing was reported until late on June 21, it appears to have been either a small number or they were also not told until very late on Friday.
When Facebook did eventually reveal the breach, they got into fairly decent details about what happened. The details of the breach illustrate how innocuously these problems can crop up and how destructive they can be.
“When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook. Instead, we want to recommend that they invite those contacts to be their friends on Facebook,” Facebook’s blog post said. “Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional E-mail addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool. “
Facebook said it disabled the DYI tool, fixed the hole and reactivated the system the next day. In the interim, though, things got messy.