A freshly leaked e-mail shows that Facebook is employing the strategy of ignoring the issue and hoping it will all go away.
Earlier this month, we reported on the massive 533 million user data breach story. The half a billion Facebook profiles are now currently floating around on the dark web for anyone savvy enough to find it as it is currently freely available. The database had been floating around since January and security researchers were trying to contact Facebook about it. Those messages went ignored. Hackers since released the whole database for free on the dark web. That proved to be the last straw as researchers then contacted the media about it.
As facts about the story gathered, so did the legal liability on Facebook’s part. Word got out that Facebook did not proactively notify EU authorities which would be a violation of the GDPR to our knowledge. Further, Facebook has not notified users of the incident either. Canadian authorities were also not notified, but Canada can’t get its legislative act together and can’t really meaningfully hold Facebook accountable.
After that, Digital Rights Ireland began forming a mass lawsuit and is encouraging affected European users to join in by first visiting facebookbreach.eu.
Facebook did initially respond to reporters by saying that the data that was compromised was old and that necessary steps were taken since to correct the problem. That alone caused further outrage especially given that users were never notified. Since then, it seems that Facebook’s strategy is to ignore the breach altogether and hope the media will finally stop talking about it. From grahamcluley:
Someone in Facebook’s EMEA Communications team seems to have accidentally forwarded an internal email to… a journalist covering the story of the Facebook data breach.
My guess is that a Facebook employee attempted to forward the internal communication to a colleague, and their email client accidentally auto-completed the recipient’s name to be that of an external journalist. Oops!
What makes matters worse for Facebook, is that the email reveals the company’s strategy for handling questions about the exposure of 533 million users’ data, painting the problem as an issue for the whole technology industry.
Part of the accidentally-sent email reviews the media coverage that Facebook has already received from the breach:
OVERALL COVERAGE: Publications have offered more critical takes of Facebook’s response framing it as evasive, a deflection of blame and absent of an apology for the users impacted. These pieces are often driven by quotes from data experts or regulators, keen on criticizing the company’s response as insufficient or framing the company’s assertion that the information was already public as misleading. With regulators fully zeroed in on the issue, expect the steady drumbeat of criticism to continue in the press. However, it is important to note that both media coverage and social conversation continues to gradually decline from its peak over the weekend on Monday.
Perhaps more troubling is that Facebook is hoping to try to frame the issue as a normal everyday industry issue and that it’s no big deal. The leaked e-mail literally says that Facebook is hoping to “normalize” these stories:
However, the social network says it is going to be revealing more data-scraping incidents in an attempt to normalise the issue as one that plagues the entire industry.
LONG TERM STRATEGY: Assuming press volume continues to decline, we’re not planning additional statements on this issue. Longer term, though, we expect more scraping incidents, and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly. To do this, the team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we’re doing in this area. While this may reflect a significant volume of scraping activity, we hope this will help to normalize the fact that this activity is ongoing and avoid criticism that we aren’t being transparent about particular incidents.
Cluley comments that the arguments are unconvincing and that affected users have, to date, still not been contacted.
The problem with Facebook’s strategy here is that Facebook is viewing this as a PR problem. This problem, however, is far bigger than just something the media is talking about. People’s personal phone numbers are floating around on the dark web and open to exploitation by hackers. People’s personal lives are going to get ruined because of this. What’s more is that even if the media somehow forgets about this story, litigation will now – as is evidently forming in Europe.
Further, if Facebook is worried about the PR side of this, what was leaked to the media makes Facebook look a whole lot worse on top of it all. Not only do they confirm that they are ignoring the story, but actively instructing staff to do so literally in the hopes that this whole thing just blows over. For critics, it confirms the absolute arrogance of the higher ups at Facebook. It is also another reason why Facebook should be held accountable for what happened.
Drew Wilson on Twitter: @icecube85 and Facebook.