It took just three days for Facebook to notify authorities and the public that hackers had compromised as many as 50 million user accounts on the social media platform.
That's an incredibly swift response. The flip side: Facebook leaders did not have enough information to paint a clear picture of the hack and the risk to its users during the announcement. They didn’t offer details about who the attackers were, or what motivated them. Nor could they say where the affected users were located or how many users of Facebook-linked third-party applications were affected. “We're very early in the investigation. Our next priorities are understanding the full scope of impact,” Facebook head of cybersecurity policy Nathaniel Gleicher said in a call with reporters Friday.
The scarce information highlights a difficult trade-off companies must now consider as they face pressure from policymakers here and in Europe to disclose significant data breaches sooner. Europe’s new privacy law, the General Data Protection Regulation, imposes massive fines on companies if they don’t notify privacy regulators about a data breach within 72 hours. The rule took effect in May and applies to any company with E.U. customers. U.S. lawmakers have proposed similar a 72-hour rule to replace the patchwork of state data breach laws that exist here. By getting the word out early, companies alert users that their information may have fallen into bad hands. But they risk creating confusion by disclosing the breaches before key details are available.
Facebook’s former chief security officer, Alex Stamos, raised the issue in a pair of tweets Monday:
Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete.— Alex Stamos (@alexstamos) October 1, 2018
1) Announce & cop to max possible impacted users.
2) Everybody is confused on actual impact, lots of rumors.
3) A month later truth is included in official filing. https://t.co/VSCVfYB8om
“You can do incident response quickly or correctly, but not both,” he wrote.
Early notification can offer important protections for users. For example, it gives breach victims an opportunity to change passwords and take other steps to secure themselves right away — not just on accounts that were compromised but in other places where bad actors might seek to gain access, such as bank accounts. “If we know something happened, we can take action,” said Karen Schuler, an expert in data breaches at the global accounting firm BDO and a former forensic investigator for the Securities and Exchange Commission. “If something did happen and I was impacted, I need to take steps to make sure I’m monitoring X, Y and Z accounts.”
But in disclosing a breach too early, “you lose the level of detail and granularity you’re going to get with a further investigation,” Schuler told me. “It can take up to weeks to actually get under the hood and understand what happened, what information might have been taken, who has it. Sometimes you’re not even able to find out the full extent.”
This is precisely what Facebook is wrestling with now. The company said Friday it had notified European data privacy regulators of the breach, in accordance with GDPR. Shortly after doing so, Ireland’s Data Protection Commission, the watchdog that monitors Facebook’s GDPR compliance, said Facebook’s disclosure “lacks detail” and criticized the company for being “unable to clarify the nature of the breach and the risk for users at this point.”
On Monday, the Irish watchdog said in a statement on Twitter that less than 10 percent of the 50 million compromised accounts were located in the E.U. “As we work to confirm the location of those potentially affected, we plan to release further info soon,” Facebook responded.
Still, it's worth noting that some of the biggest data breaches in recent memory took months or longer for companies to disclose. And in several cases, there were consequences. Equifax waited six weeks to reveal that the Social Security numbers and other sensitive information on 143 million Americans had been exposed in a data breach. Uber waited a year to reveal a hack affecting tens of millions of drivers — and just last week paid a $148 million settlement in connection with the incident. Yahoo also paid a fine earlier this year for waiting two years to tell investors that Russian hackers stole information on 500 million users.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: FBI Director Christopher A. Wray on Monday urged a conference of corporate directors to seek assistance from the bureau when they suspect that their companies have suffered a cyberattack. “I know there’s sometimes a reluctance out there to turn to the feds when you’ve been hacked,” Wray said, according to his remarks prepared for delivery at the National Association of Corporate Directors' 2018 Global Board Leaders' Summit in Washington. “But we’re not going to rush in wearing raid jackets and shut down your operations. In our eyes, you are — and you should be treated as — a victim. But time is of the essence in these cases.”
Wray stressed that cyberattacks and theft of intellectual property can inflict long-term damage on American companies, according to his prepared speech. And there is no bigger threat on that front than China, according to the FBI director. “We’re getting more serious about the China threat. And we’re asking you to get more serious about that threat, too,” Wray said, according to his prepared remarks. “Because it’s only going to get worse. No country poses a broader, more severe intelligence collection threat than China. Actors working to benefit China — including state-owned and ostensibly private companies — are the most active perpetrators of economic espionage against us.”
PATCHED: The Energy Department on Monday announced awards of up to $28 million to help fund 11 cybersecurity research projects to strengthen the defenses of America's critical energy infrastructure, according to a news release from the department. The department selected projects from companies such as Dragos, GE Global Research and Schweitzer Engineering Laboratories. The final amounts of the awards are subject to negotiation, according to the department's news release. “Protecting the nation’s energy delivery systems from cyber-threats is a top national priority,” Energy Secretary Rick Perry said in a statement. “These awards will spur the next level of innovation needed to advance cyber resilience, ensuring that the nation’s critical energy infrastructure can withstand potential cyber attacks while also still keeping the lights on.”
Just last week, Karen Evans, the assistant secretary for the department's Office of Cybersecurity, Energy Security, and Emergency Response, said “energy cybersecurity and resilience” is one of the “most important security challenges” that the United States faces. “The frequency, scale, and sophistication of cyber threats have increased and attacks can be much easier to launch,” Evans told lawmakers Thursday during a House Energy and Commerce subcommittee hearing. “Cyber incidents have the potential to interrupt energy services, damage highly specialized equipment and threaten human health and safety.”
PWNED: A hacker group tied to Saudi Arabia used the Pegasus spyware from Israeli cyber-surveillance company NSO Group to break into the iPhone of a Saudi dissident living in Canada, according to a report from the Citizen Lab at University of Toronto's Munk School of Global Affairs and Public Policy published Monday. Researchers from the Citizen Lab said they have “high confidence” that the spyware infected the phone of Omar Abdulaziz after he clicked on a fake delivery notification link.
“After examining his text messages, we identified a text message that masqueraded as a package tracking link,” the report said. “This message contained a link to a known Pegasus exploit domain.” The Pegasus spyware can provide access to all personal files on an infected iPhone or Android device, according to the Citizen Lab. Moreover, those using the spyware can also access the phone's microphone or camera to spy on the victim.
The Canadian Broadcasting Corporation's Matthew Braga reported that Abdulaziz vowed not to be silenced despite the cyberattack against him as well as the recent imprisonment of his two brothers and several friends by Saudi authorities. “So many people are scared. They're scared to talk about what's happened to them. Maybe they experienced something even worse than me. But someone has to say no,” Abdulaziz said.
— The Senate Commerce Committee should hear from consumer privacy experts as lawmakers consider whether to develop data privacy legislation, a coalition of consumer and privacy groups said Monday. “There is little point in asking industry groups how they would like to be regulated,” the coalition said in a letter to Sen. John Thune (R-S.D.), the committee's chairman, and Sen. Bill Nelson (Fla.), the panel's ranking Democrat.
The Center for Digital Democracy, the Electronic Frontier Foundation, the National Association of Consumer Advocates and other groups signed the letter. They lamented that a recent hearing convened by the Commerce Committee included only industry representatives and “was unnecessarily biased” as a result. “We understand that you are planning to hold a second hearing in early October,” the letter said. “In keeping with the structure of the first hearing, we ask that you invite six consumer privacy experts to testify before the Committee.” The groups also suggested that the committee solicit input from other experts as well as state attorneys general.
— “It’s no secret the federal tech workforce is getting older, but some agencies are having a lot more difficulty recruiting young IT professionals than others, according to data from the Office of Personnel Management,” Nextgov's Jack Corrigan reported Monday. “And while civilian agencies generally face the most lopsided age disparities, the importance departments place on building a long-term talent pipeline varies greatly. In March 2018, only 3 percent of the government’s 84,097 tech specialists were less than 30 years old while some 14 percent of IT employees were over the age of 60. That means federal technologists at or approaching retirement age outnumbered their 20-something counterparts roughly 4.6 to 1.”
— More cybersecurity news from the public sector:
— “Travelers who refuse to surrender passwords, codes, encryption keys and other information enabling access to electronic devices could be fined up to $5,000 in New Zealand, according to new customs rules that went into effect Monday,” The Washington Post's Isaac Stanley-Becker reported. “Border agents were already able to seize digital equipment, but the Customs and Excise Act of 2018 newly specifies that access to personal technology must be handed over as well. The law provides, however, that officials need to have ‘reasonable cause to suspect wrongdoing’ before conducting a digital search — cold comfort for civil liberties advocates, who have sounded an alarm about the measure.”
— “The U.K.’s Financial Conduct Authority issued a £16.4 million ($21.4 million) penalty to Tesco Bank for failing to protect clients from a cyberattack in November 2016,” the Wall Street Journal's Mara Lemos Stein reported Monday. “This is the first time the FCA has taken enforcement action related to a cyberattack, revealing the regulator’s willingness to address lapses of risk management by financial institutions.”
- U.S. Election Assistance Commission Election Readiness Summit in Washington tomorrow.
- Privacy Security Forum in Washington tomorrow through Friday.
U.S. Army medic receives Medal of Honor for Afghanistan heroism:
Brett Kavanaugh and alcohol: two dueling narratives:
Las Vegas shooting victims remembered one year later: