United States

Lessons from the Facebook and Cambridge Analytica Privacy Scandal

INSIGHT ARTICLE  | 

When news broke that the private information of millions of Facebook users had been leaked to the political data firm Cambridge Analytica and used in the 2016 presidential campaign, it sparked national outrage and raised serious concerns about how large organizations protect user privacy. Some were unaware that their personal information could be used in such a way without consent, and many were surprised to learn that the data was not lost in a security breach like other high-profile cases. Instead, the incident was a consequence of lax security policies and insufficient third-party oversight. This is concerning not only for individuals but for businesses who entrust their (and their customers’) data to third parties.

Although the details of the incident may be complicated, the lessons for how to improve personal and organizational data security and privacy are surprisingly simple. There are a few concrete actions that businesses and users can take to keep themselves safe, but to understand how to protect yourself and your organization from future misuse it is important to start by reviewing what happened.

Untrusted partners

In the weeks following the revelation of this data leak the national debate has still largely focused on Facebook, but the fact is that many third-party apps and platforms are engaging in very similar activity.

For instance, last year the popular weather app AccuWeather was caught selling user location data to a data monetization firm without explicit permission.1 Around the same time it was reported that Unrolle.me, a service which allows users to manage or unsubscribe from unwanted email promotions, sold information about customer inboxes to third parties though a privacy permissions loophole.2 Recent reports have shown that even single-function apps such as Flashlight which is simply designed to turn on your smartphone’s light, may be accessing information from your calendar, maps or camera.3 And even if the application isn’t selling your data directly, they may not be doing enough to protect it. In 2014, coffee lovers learned that their Starbucks app was storing their email address, password and location information unencrypted, making it easy for attackers to exploit.

In other words, while the debate has largely focused on Facebook, the danger of trusting your data to third-party applications is greater than any one social media platform or application.

Greater still is the danger to companies.

Many businesses have found the Facebook incident uniquely concerning because Cambridge Analytica did not have to hack into company servers or breach technical security controls to access this information without Facebook’s knowledge. Instead, the firm could simply purchase that information from an authorized partner. This highlights the danger of third-party vendors and contractors.

In the same way that individual Facebook privacy settings could be compromised by apps selling or leaking an individual’s data, an organization’s sensitive information could be sold or leaked by a third-party partner. Many organizations work with contractors to outsource everything from IT security to payments and billing. Those contractors or partners may be storing or accessing highly sensitive information about your employees, your financial records, your contracts or your customers. Simply hoping that they are appropriately safeguarding that data is not enough. You must do your due diligence to make sure they are doing theirs.

It is important to remember that if your organization is not holding these partners to the same security standard to which you hold your businesses, you are putting your information, your customers’ information, your reputation and therefore your business itself at risk.

What to do

While the Facebook and Cambridge Analytica privacy scandal itself is cause for concern, it is also a call to action. Any breach, no matter how big or small, is a cautionary tale, an opportunity to take specific steps in order to avoid the same fate.

In this case, one key lesson is that security is more than just a matter of technical controls; it is also a matter of proper oversight. Here are a few simple steps you can take to protect yourself and your organization:

Individuals

  • Review the privacy settings on your primary accounts. Determine who can see your private information and establish degrees of permission depending on trust and personal preference.
  • Audit the applications connected to your account. Even if you have strong privacy settings on your main accounts, other apps or tools may be pulling data without your knowledge. Now is a good time to cull unnecessary applications and review any plugins or add-ons connected to your primary accounts. Go to the settings pages of your main email and social media accounts to determine what apps may be sharing your data.

Organizations

  • Review your third-party vendors, partners and contractors. You need to know what controls they have in place to protect your data and with whom they may be sharing that information. It is especially important to conduct such reviews on an ongoing basis, not just when you sign a contract. Even if your organization isn’t directly breached, you can still suffer reputational damage if a third party leaks your customers’ or clients’ information.
  • Validate third-party security. Depending on the size of your organization and the industry you are in, you may want to require that your vendors provide copies of third-party security tests such as vulnerability scans or penetration tests. They have access to your sensitive data, so don’t just take their word that it is secure.
  • Review your own security. Although oversight into third-party security is important, don’t forget to evaluate your own security program. Use this breach as motivation to identify potential weaknesses and determine opportunities for improvement. When information is your business, the survival of your business depends on security.

 


ENDNOTES

1“AccuWeather Caught Sending User Location Data, Even When Location Sharing Is Off,” (Aug. 22, 2017), ZDNet
2“Unroll.me Service Faces Backlash Over a Wirespead Practice: Selling User Data,” (April 24, 2017), The New York Times
3“The Hidden Privacy Threat of…Flashlight Apps?” (Oct. 20, 2014), Wired

How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.


Receive Risk Bulletin by Email

SUBSCRIBE


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.

LEARN MORE




Events/Webcasts

IN-PERSON EVENT

Meet RSM at the 2018 IIA GRC Conference!

  • August 13, 2018

RECORDED WEBCAST

Understanding the impact of the NAIC Data Security Model Law

  • August 09, 2018