The Telegraph is reporting Facebook knew about a huge security flaw that let hackers to steal personal data from millions of its users almost one year before the crime, yet failed to fix it in time. Legal documents show that the company was repeatedly warned by its own employees as well as outsiders about a dangerous loophole that eventually led to the massive data breach in September 2018. Despite this, the loophole remained open for nine months after it was first raised, leading employees to later speak of their “guilt” and “hurt” at knowing that the attack “could have been prevented”. The breach, which involved stealing digital access tokens used by Facebook to verify users’ identity without needing their passwords, exposed the names, phone numbers and email addresses of 29 million people and a host of more intimate data for 14 million accounts.
@Facebook was repeatedly warned of #security flaw that led to the biggest #databreach in its history in a #cyberattack that affected 29 million people via @Telegraph #data #datasecurity #cybersecurity https://t.co/i3IXwVDrSy
— MikeCassell (@MikeCassell22) February 10, 2020
All organisations knowingly, or unknowingly make risk-based security decisions. There are inevitably more vulnerabilities and issues which need fixing than there are resources, so there will always be some issues which will take priority over others.
Even when something appears to be a \’simple\’ fix, like a patch, it can take significant resources to test and validate that the fix won\’t have any unintended consequences which impact other systems or open up another, more serious vulnerability.
With that being said, Facebook is unlike the majority of organisations in the world. It has vast amounts of highly sensitive and personal information belonging to its users and it should take all measures possible to protect its users\’ information. Be that from inadvertent, or deliberate misuse, either from a legal, or ethical perspective. Such leaks from Facebook are a treasure trove for people with ill intent, something that came to light with the Cambridge Analytica event.