Breach please! Why companies like Facebook need to be held accountable by CERT-IN.

Donate to help sustain our work

Tl;dr

Cybersecurity researchers have reported that the personal data of 50 crore plus Facebook users, which includes over 60 Lakh Indian Facebook users, is available on the internet for free. This is yet another data breach in a series of data breaches. We have ourselves addressed several such breaches in the past, and this is the second such post only in the last fortnight. In this post, we discuss the steps you can take if your data has been compromised because of the breach. We also discuss the steps we take to ensure the security of your data over the internet. One of the steps we take is raising digital rights concerns with competent authorities. To address the concerns of Indian Facebook-users affected by the data breach, we have written to the Computer Emergency Response Team (CERT-IN), asking them to initiate an inquiry over the breach under Section 70B(6) of the Information Technology Act, 2000.

Background

On 31st March 2021, we provided details of the data breach of Indian MobiKwik users and pointed out five steps we expected MobiKwik to take to alleviate the situation. On 3rd April 2021, information on another significant data leak surfaced. The leaked data pertains to information on users collected by Facebook as a pre-condition to avail its services. Vice had first reported this leak in January 2021, stating that a bot was selling data of 500 million plus Facebook users.

Now, a cybersecurity researcher has revealed that the data of these 50 crores plus Facebook users, which includes over 60 Lakh Indian Facebook users, is available on the internet for free. The data contains sensitive information of users such as phone number, Facebook ID, location, past locations, birthdate, email address and relationship status. This data breach violates the privacy of lakhs of Indians and puts them at risk of various kinds of frauds including identity theft. These are real risks that put millions of Indian to risk of potential cyber criminals and online scams.

Facebook’s response

Facebook has not informed the users whose privacy has been compromised. Facebook has instead claimed that the data is from 2019 and that it had fixed the issue back then. However, even if the data is from 2019, the breach is still concerning because individuals do not change their personal information, especially email addresses and phone numbers, over such a short period. Also, this breach speaks to fairly weak cyber security practices by a large silicon valley company that literally has billions of dollars in revenue. This demands a more thoughtful and considerate approach by them. They should notify users whenever a breach takes place and also a review of it’s policy by which it seeks large amounts of information including the phone numbers of its users. We also have reason to be circumspect, as if we go by the logic of the explanation, Facebook despite being aware of the data breach since 2019 did not inform users. Facebook needs to do better starting now!

How can you respond to the breach?

We have reviewed advice from several cyber security experts and also hope to provide you with actionable advice on what you can do to mitigate the risks which emerge from data breaches. Please exercise your own judgement, because by all means, we are not perfect and such personal decisions must be made only after reflection of your risk levels, independent study and research.

For one, you need to get better invested with the emerging policy and laws around data breaches. For instance there is no clear legal requirement that is triggered on a data breach for your right to know if you have been affected by the breach. This is difficult because Facebook has not yet informed users. Moreover, as we highlighted here, the law as it stands and the proposed Personal Data Protection Bill, 2019 (PDPB, 2019) do not even require Facebook to inform users whose privacy has been violated.

Second, while laws may not be very helpful, to overcome this information asymmetry, you can use either haveibeenpwned and, “Safe me”. We think these solutions are relatively safe but ask you to exercise independent judgement. Haveibeenpwned is a free to use website where users can learn whether their accounts have been compromised. The website does this by aggregating information from data breaches, and you can check out more information on its functionality - here. “Safe me” is an app that is available over android and IOS, and it assesses the cyberisk of a user on a scale of 1 to 5. Interestingly, the app has certain courses which one can take to improve their ‘safety score’.

Third, once you find out that your Facebook data has been compromised and if you want to avoid such a situation again, the best option is to delete your Facebook account. However, most of us cannot afford to do so because of the sheer market dominance of Facebook. It is a hostage situation - all our friends, families and colleagues are on Facebook. If Facebook permitted interoperability, we could have interacted with our connections who are on Facebook through a more secure social networking website. Since this is not the case, experts suggest that affected users should change their passwords immediately and consider removing information that does not ‘need’ to be on Facebook.

A word of caution - such responses are a bandage on a bullet hole. To prevent such breaches, we need structural changes that ensure that such breaches do not even occur. If they do, data processors such as Facebook in this case, act in a responsible manner. This is why we engage with the development of the Data Protection and cyber security laws. Currently, we have been analysing PDPB, 2019 through a four-part series and we have previously critiqued Facebook’s Human Rights Policy and WhatsApp’s privacy policy.

How are we raising this issue?

Apart from the above, to address this massive data breach of Indian Facebook users, we have addressed a letter to CERT-IN. CERT-IN is responsible for collecting, analysing, and disseminating information on cyber incidents and undertaking measures to handle cybersecurity incidents.

We had written to CERT-IN even after the MobiKwik breach and are thankful to them for acknowledging our request. The agency had assured us that it would take appropriate action. In this letter, we have highlighted the concerns we have raised above and requested CERT-IN to inquire into the data breach of Indian Facebook users. We have also asked CERT-IN to call upon Facebook to explain why such a breach took place, examine the period from which the data pertains and publicly disclose its steps to remedy the situation. We are hopeful that an enquiry by CERT-IN will make Facebook provide relief to the affected users.

We will continue to follow-up and assist CERT-IN regarding both the data breaches that have come to light in the past few days.

Important Documents

  1. Our letter dated 8.04.2021 to the Indian Computer Emergency Response Team to conduct an inquiry into the data breach Indian Facebook users (link)
  2. IFF post discussing the MobiKwik data breach (link)
  3. IFF post highlighting other recent security breaches (link)
  4. IFF post pointing out the security vulnerability of a website that provided for on-boarding services with BHIM (link)
  5. IFF post discussing the need to provide legislative protection to security researchers for responsible disclosures (link)
  6. Public Brief and Analysis of the Personal Data Protection Bill, 2019. (link)