‘This was not a breach’: How Big Tech gaslights the world on data leaks
More than a billion people's data has appeared on hacker forums in recent days, but no-one's owning up to doing anything wrong.
To see a graphic about the Facebook data leak, view this article in your browser.
First Facebook. Then LinkedIn. Now Clubhouse.
After data on a combined billion Facebook and LinkedIn users appeared online last week, reports surfaced over the weekend that upstart social network Clubhouse had also leaked reams of user information.
But if you think any of the above is a problem, Big Tech has a message for you:
You’re the crazy one.
The audio platform called the reports “misleading and false” and maintained it had not been breached or hacked.
“The data referred to is all public profile information from our app, which anyone can access via the app or our API,” it said in response to data on 1.3 million users being posted online.
It was a response seemingly straight from the Facebook playbook.
The social media giant had responded in a similar fashion earlier in the week to reports that data on 533 million of its users — including the EU’s data protection chief — had been leaked.
“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” read a Facebook blogpost on April 6, explaining that scraping was a common tactic used to lift “public information.”
Several days later, Microsoft-owned LinkedIn suffered almost an exact replica of the Facebook leak, with half a billion user records — including full names, email addresses, and phone numbers — appearing online.
It’s response? Yes, you guessed it: The company said it was public data, and denied it was a data breach.
“It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review,” read the LinkedIn response.
But not everyone is buying the companies’ attempts to get themselves off the hook for leaking the data in their custody.
“Facebook seem to say there is no issue because they weren’t hacked. That in ways is worse,” said Ravi Naik, a director at AWO, a data rights agency.
“I think their response really speaks to a wider issue of how they see and treat personal data.”
But Facebook, LinkedIn and Clubhouse are by no means alone in trying to absolve themselves of blame. Read on to find out what to say if your company has leaked information online.
Say it’s public data
The response du jour. The data was public anyway, so what’s the problem? See Facebook, LinkedIn and Clubhouse going large on the fact that much of the data was posted to public profiles.
There’s a hitch to this though.
Firstly, in Facebook’s case at least, the company seems to be adopting quite a liberal interpretation of what’s public. Phone numbers that appeared in the online databases, for instance, were in many cases not included on public profiles, yet Facebook says they are public because people could still be discoverable by the numbers.
Secondly, whether the data is public or not is not actually a factor in whether there’s been a data breach. According to the legal definition, a data breach occurs if there’s “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” There’s no mention of whether information is public or not.
We’ll let you make your own minds up as to whether any of the trio of recent data incidents qualify.
Don’t tell the regulator (and definitely don’t tell users)
If there wasn’t a data breach, there’s no need to tell the regulator and face a possible probe. See the logic?
Following news of the Facebook leak, its lead EU privacy regulator, the Irish Data Protection Commission, said it had received “no proactive communication” on the incident from the social media company.
But regulators can take matters into their own hands once they do hear the news, as Italy’s regulator did, announcing an inquiry into LinkedIn’s data leak last week.
There is a higher threshold for notifying users of breaches under EU rules, so if the regulators aren’t being told, you sure as hell aren’t.
Ignore, and ignore again
Why not just pretend it didn’t happen?
In January, the U.K.’s cybersecurity agency, the NCSC, wrote about the proliferation of ransomware. One (unnamed) organization was hit with ransomware and paid just under £6.5 million to recover their files — only to ignore the vulnerability in their networks.
“Less than two weeks later, the same attacker attacked the victim’s network again, using the same mechanism as before, and re-deployed their ransomware,” the NCSC wrote. “The victim felt they had no other option but to pay the ransom again.”
Blame the intern (or a rogue employee)
One of the issues investigators looked into causing the major SolarWinds hack of U.S. and global organizations, discovered last year, was the use of a password “solarwinds123” that left servers vulnerable to attacks.
In a testimony to the U.S. Congress, former SolarWinds CEO Kevin Thompson said the password issue was “a mistake that an intern made,” CNN reported.
Blaming the fall guy is a tried and tested technique.
When credit reporting agency Equifax announced in 2017 it suffered a breach affecting 147 million people, lawmakers summoned the leadership for an explanation. Former CEO Richard Smith told U.S. Congress that the mistake came down to one IT engineer: “The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not,” he said, according to the Verge.
From the EU’s own playbook — Call the leak misinformation
When the EU’s own European Medicines Agency (EMA) got hacked late last year, the agency as well as affected drug makers BioNTech and Pfizer were quick to respond with public statements to contain the damage.
But in January, media outlets reported the compromised data included emails showing pressure was put on the agency to hurry up with coronavirus vaccine approval processes, prompting the agency to say some data circulating online “may have been taken out of context” and “not all of the documents were published in their integral, original form.”
What the EMA didn’t say, however, is whether the media reports were accurate — and what information exactly, in the leaked copies floated on the internet, wasn’t accurate.
If it is a hack, call it “sophisticated”
In a particularly egregious example of this PR fave, TalkTalk said in 2015 it had been the victim of a “sophisticated” cyberattack which hit thousands of customers.
But when the U.K.’s data protection authority fined TalkTalk a then record £400,000, it accused the telco of failing to “implement the most basic cyber security measures,” allowing hackers to penetrate systems “with ease.”
To add insult to injury, the company’s then CEO, Dido Harding — now the head of Britain’s new health agency — said at the time that she had no idea whether the company had taken basic security steps.
“The awful truth is, I don’t know,” she said in answer to whether customers’ bank details had been encrypted.