Facebook's Early, Misguided Call on Breach DisclosureEmails With Aussie Regulator Show Facebook's Thoughts on 'View As' Hack
Shortly after a massive data breach affected up to 50 million accounts last September, Facebook didn't believe the incident needed to be reported under Australia's mandatory breach notification law.
Facebook's early opinion is revealed in a series of emails between Australia's regulator - the Office of the Australian Information Commissioner - and company officials. The emails, which are partially redacted, were released on March 11 by the OAIC following a Freedom of Information Act request.
The incident compromised access tokens, which allow people to stay logged into their account. If stolen, the tokens would enable an attacker to access someone's account. The company discovered three separate bugs affecting a feature called "View As" that allows people to view their profile as it appears publicly. The attack started on Sept. 14, 2018, and ran for two weeks (see: 50 Million Facebook Accounts Breached).
As a result, Facebook invalidated the access tokens for 50 million accounts and 40 million others as a precaution. It learned of the problem on Sept. 25, 2018, and publicly disclosed the incident in a blog post three days later.
By law, Australia requires certain types of data breaches to be reported to regulators and those affected. Eligible breaches are those that could cause "serious harm" to victims, and the OAIC has guidelines to help organizations make that decision.
Facebook told OAIC Principal Director Amie Grierson in an Oct. 1, 2018, email that "at this stage we do not consider the incident to be an eligible data breach under the Australian notifiable data breaches scheme."
But Facebook cautioned that its investigation was in its early stages and that it did not know if any Australians were affected. Along with the blog post, Facebook also directly notified individuals who were affected through its platform.
Facebook officials in Sydney couldn't be immediately reached for comment on Wednesday.
A Conclusion Too Soon?
Under Australia's mandatory reporting requirements, organizations have 30 days to report a breach. While Facebook quickly reached out to regulators worldwide, it appears to have drawn a conclusion too soon in Australia as to the seriousness of the breach.
It's a tough call to make in the fog after an incident. One of the issues with Australia's notification law is that it leaves it up to organizations to decide whether their incident could cause serious harm to people, says Troy Hunt, a data breach expert and creator of Have I Been Pwned breach notification service.
The emails don't illuminate Facebook's thinking as to why in those early days the breach didn't qualify for mandatory notification. But Facebook did say in its initial blog post that access tokens were taken, which is generally very bad news.
Hunt says there's a sweet spot with notifications: Organizations need to provide something that is useful and accurate but at the same time not compromise an ongoing investigation. "That really sort of depends on the nature of the incident," he says.
In 2016, the Australian Red Cross, for example, provided a full accounting of its breach within 72 hours. A Red Cross contractor had left a 1.7 GB MySQL database backup online for seven weeks. The mistake exposed personal details for 550,000 registered blood donors and answers to sensitive medical questions (see: Australian Red Cross Leak Exposes Contractor Risks).
But that was a straightforward case. "This is not sophisticated nation-state, threat actor ATP," Hunt says.
Probably an Eligible Breach
The Facebook incident, however, turned out to be bad, and it hit the company at a time when it was already reeling from the Cambridge Analytica scandal and facing regulator inquiries (see: Facebook Sued in US Over Cambridge Analytica).
Around Oct. 12, Facebook provided the OAIC with a more detailed view of what Australian data was exposed. All told, 111,813 accounts were exposed to varying degrees, the documents reveal.
For 47,912 accounts, full names, email addresses and phone numbers were exposed. For 1,595 accounts, the breach may have revealed timeline posts, friends lists, memberships in groups and names of recent Messenger conversations.
But for bulk of the affected Australian users - some 62,306 people - all of their basic profile information was exposed, including names, email address, phone numbers, gender, relationship status, hometown, current city of residence, birthday, recent search queries and places where they'd checked in.
No password data, identity documents or financial information was exposed, however, which is possibly why Facebook thought its breach wasn't eligible for reporting.
IMO the sheer scope of the information involved would suggest notification was required. Further, religious affiliation falls within the meaning of 'sensitive information' under the Privacy Act. Certainly gives rise to a risk of identity theft.— Tim de Sousa (@TimdeSousa) March 26, 2019
But OAIC's guidance says that a breach may qualify as serious if it is large in scale. For example, even if affected individuals have a small chance of experiencing harm, the likelihood that someone will experience serious harm rises if there are large numbers of victims.
"From a risk perspective, it may be prudent, depending on the particular circumstances, to assume a breach involving the personal information of a very large number of people is likely to result in serious harm to at least one of those individuals, unless context or circumstances would support this not being the case," the regulator says.
The OAIC can levy fines up to AU$420,000 (US$297,000) for individuals and $2.1 million for organizations for failing to report a breach.
Had Facebook not voluntarily disclosed the incident, the OAIC requirements would appear to have required disclosure, writes Tim de Sousa, a privacy specialist and director of the New South Wales Government Policy Lab, on Twitter. Also, the disclosure of religious affiliation falls under the definition of sensitive information in Australia's Privacy Act, he writes.
"Certainly gives rise to a risk of identity theft," de Sousa writes.