Bug bite for Facebook users

Last Updated: Sun, Jun 23, 2013 05:51 hrs

An "embarrassed" Facebook has disclosed that a technical bug compromised personal details such as phone numbers and email addresses of six million users worldwide.

This has made the clamour for data security norms grow louder so that users in countries like India, which does not have privacy legislation, get a shield.

A Facebook spokesperson declined to share country-specific numbers. Users in India, which has 78 million Facebook users, were also affected.

Facebook made the announcement on Saturday morning. In a blog post, it said the breach could have occurred when a user downloaded an archive of his or her account through the Download-Your-Information tool. "They may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection," said the note. The company said it took "people's privacy seriously" and had "no evidence that this bug has been exploited maliciously."

"Even with a strong team, no company can ensure 100 per cent prevention of bugs, and in rare cases we don't discover a problem until it has already affected a person's account.... Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again," the company said.

Users whose accounts were affected have also got an email from Facebook informing them of the issue.

This incident, preceded by several such large-scale data breaches involving companies such as LinkedIn and Amazon in the recent past, has prompted experts to call for basic data security standards that should be followed by all internet companies globally.

"There have to be broad guidelines which draw a legitimate red line on what is an acceptable practice in terms of data collection and what security measures they need to put in place," said Parminder Jeet Singh, executive director of technology advocacy and research firm, IT for Change. Laws of one country might not be applicable on technology firms that have servers elsewhere. There has to be "some kind of a global consensus on data security policies," said Singh..
In a blog-post, Facebook said that the breach would have occurred when a Facebook user went to download an archive of their Facebook account through the social network's Download Your Information (DYI) tool. "They may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection," according to the note. It added that the company takes "people's privacy seriously" and "no evidence that this bug has been exploited maliciously."
While Kamlesh Bajaj, chief executive officer of the Data Security Council of India said that there are forums in the world such as the Privacy Commissioner's Conference, which are discussing these issues and a where some solution will emerge out of discussions, Akhilesh Tuteja, executive director of audit and consultancy firm KPMG said that it is very difficult for the entire world to agree to some norms as every country's tolerance levels in terms of data privacy are different. However, Bajaj said that in case of such breaches the responsibility is of the company to ensure that the data is encrypted so that even if it is leaked, no one can read it.
On the other hand, Tuteja said that the security threat will never go away and users will just have to protect themselves by smart judgments about how much they should share online. "Technology of these platforms is growing very fast and so is sophistication of tools to break into their security." He added that user's behavior online and also privacy legislations are swinging wildly right now. "The water should find its own level in sometime."


LinkedIn In June last year, the site was hacked and passwords of around 6.5 million users were stolen by cybercriminals. The passwords, which were encrypted, were decrypted and posted online. LinkedIn apologised but had to battle a lawsuit

Amazon In January last year, the online retailers' sister concern was a victim of an attack that stole phone numbers, email ids and billing addresses of 24 million customers . The company said credit card details were safe. But it had to face a class-action suit

Dominos In India, the website of the popular pizza delivery chain was hacked allegedly by a group of Turkish hackers. Information, including names, phone numbers, email addresses and passwords of about 37,000 users, was stolen. It was the second such hacking faced by the company in the last few years.

More from Sify: