What happens to our personal data? Many social media users ask this question nowadays. Especially since leaks coming from the same, most used platforms are continuously being reported.
Many celebrities are said to be among the victims of this attack, even Mark Zuckerberg himself, as suggested in this tweet.
The author of this tweet revealed that Mark Zuckerberg uses a special app with an end-to-end encryption program, which does not belong to Facebook to protect his personal data. Nevertheless, it did not stop his personal data from being leaked. To back up his finding, this Twitter user shared Zuckerberg’s phone number and his Facebook account information. Also among the victims, the U.S. Secretary of Transportation, Pete Buttigieg, the European Union Commissioner for Justice, Didier Reynders alongside 61 members of the Federal Trade Commission and 651 Attorneys General.
This new scandal revives the controversy surrounding the weak protection of our personal data. Especially after the alert was sounded by the technical director of cybercrime intelligence firm Hudson Rock, which revealed the leak, Alon Gal. This expert said that the content that each user publicly posts could provide valuable information to cyber criminals who use this same personal information to impersonate people. “Hackers can also go as far as to appropriate their login credentials”, he warns.
All 533,000,000 Facebook records were just leaked for free.
— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
In some countries, authorities quickly reacted. The Irish Data Protection Commission (DPC) for example announced five days ago that it has started investigating in order to determine whether Facebook had violated data protection rules or not. The DPC, the equivalent in Morocco of The National Control Commission for the Protection of Personal Data (CNDP), considers that this leak could constitute a violation of the EU General Data Protection Regulation (GDPR). If the Irish regulator proves Facebook guilty, the company could face a financial penalty of up to 4% of its global turnover.
The European Commissioner for Justice, Didier Reynders, approves with DPC’s reaction in this tweet and says he intends to coordinate with them, probably to carry out a similar action in Europe. He also asks Facebook to be careful with personal data.
Commission services have been in contact with @DPCIreland over the #Facebookleak. They are also following the matter via @EU_EDPB.
— Didier Reynders (@dreynders) April 8, 2021
A strong enforcement of #GDPR is of key importance. Facebook should fully cooperate with Irish authorities. Soon I will also speak with @DPCIreland pic.twitter.com/vzVlETHWCG
Reacting to the new storm created online by this leak on the 6th of April in its blog, Facebook said, through its Director of Product Management Director, Mike Clark, that the data was stolen in 2019. It means that it happened before Zuckerberg’s social media corrected a vulnerability found at the time.
“We believe that the data was extracted from Facebook profiles by malicious actors using our contact importer before September 2019. This feature has been designed to help people easily find their friends to connect with on our services using their contact lists”, he argues. Even if the company says that everything has been fixed since then, it does not rule out other possible leaks : “Although we cannot always prevent the recirculation of such data flows or the emergence of new data flows, we have a dedicated team focused on this type of work”.
So, basically what Facebook is saying, users should be careful not to indicate sensitive personal data on registration forms.
Giant market of stolen personal data
This large-scale personal data disclosure is not the first to be put under spotlight. A year ago, cybersecurity specialist Cyble revealed that the personal data of 267 million Facebook members was available for free on the dark web. The website claims in fact that it was possible to acquire them for only 540 dollars, so about 5000 Moroccan dirhams. Even if this stolen information does not contain the user’s passwords, their identity, age, as well as their email addresses and phone numbers are disclosed.
This phenomenon of personal data leaks does not go unnoticed in Morocco, even if it is rarely addressed. During the Tuesday’s of the PCNS, the Policy Center for the New South focused its session, organized on the 13th of April, on « Social media platforms: Between the mobilization of social movements and the challenges of personal data protection ».
Invited to speak about the level of protection of personal data and its challenges, the assistant professor at Mohammed VI Polytechnic University Amir Abdul Reda warned about the risks that come with illegal use of this type of data. He explained despite the existence of legal procedures to restrict these abuses, especially in developed countries, they are not enough, not fast enough, not effective enough and are limited in the face of the frantic pace of technological progress and programming.
The guest insisted on the emergency to promote the ethical values that opposes to these abuses and the personal data’s exploitation, along the training and the orientation of the next generation of programmers and specialists. The expert Abdul Reda also recommends social media users to avoid entering any personal data on these platforms that is not necessary. This is one way according to him to protect yourself, upstream, against potential leaks.