Silvano Rebai - Fotolia
Risk & Repeat: Facebook breach raises regulatory questions
This week's Risk & Repeat podcast discusses new developments regarding Facebook's recent data breach, as well as the social networking giant's response to the incident.
New developments in the recent Facebook breach have raised questions about regulatory requirements for data breach notifications, as well as the motivations of cybercriminals.
Last month, Facebook announced it had been breached by unknown threat actors who used exposed access tokens generated by the site's View As feature to gain entry to millions of user accounts. Originally, Facebook estimated that 50 million Facebook accounts were affected in the incident, but the company later downgraded that number to approximately 30 million accounts that had their names and contact information -- email, phone numbers or both -- accessed.
Facebook initially disclosed the breach just three days after the incident was discovered by the company's engineering team; this led experts to speculate that the General Data Protection Regulation's (GDPR) 72-hour breach notification deadline compelled Facebook to disclose the information before a full investigation was complete.
In addition, a report from The Wall Street Journal last week claimed the threat actors behind the Facebook hack were spammers who collected the account data for deceptive advertising. While Facebook has been a target of nation-state hacking and election influencing efforts, the report claims the spammers had no affiliation with foreign governments.
Will GDPR and other regulations change how incidents like the Facebook breach are disclosed to the public? How should Facebook's response to the breach be graded? Is it surprising that the attackers were cybercriminals rather than nation-state threat actors? SearchSecurity editor Rob Wright and senior reporter Michael Heller discuss those questions and more about the Facebook breach in this episode of the Risk & Repeat podcast.