Facebook has defended its security following its latest data security breach, but has been criticised for failing to apologise to users.
In recent days it has emerged that personal data linked to more than 500 million Facebook accounts had been posted freely on a hacking forum, including data from about 11 million UK users.
In response, Facebook said personal data taken from the social network was “scraped” using a now-fixed flaw rather than hacked from their systems.
The database consisted largely of phone numbers but also included some other information such as email address, dates of birth and addresses.
But Facebook has defended itself and its security by saying the information was gathered before September 2019, when the company found, disclosed and fixed the issue used to gather the data.
The social network did not, however, offer any apology for the incident, leading one industry commentator to describe the social media giant’s response as “cold, clinical, defensive and argumentative”.
The firm has been at the centre of a number of data privacy issues and breaches in recent years, including the Cambridge Analytica scandal, and the company’s approach to user-data and privacy has been repeatedly criticised.
This latest incident is now being investigated by data privacy watchdogs, including Ireland’s Data Protection Commission (DPC), which is the social network’s lead regulator in Europe.
This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet servicesMike Clark, Facebook product management director
In a blog post on the incident, the social network’s product management director, Mike Clark, said the database had been built using software that took advantage of a flaw in Facebook’s contact importer tool.
This is a feature which allows people to match phone numbers they already have saved with accounts on Facebook in order to find friends on the platform.
However, Mr Clark said Facebook had already found and fixed the problem.
“Scraping is a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums like this,” he said.
“The methods used to obtain this data set were previously reported in 2019.
“This is another example of the ongoing, adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.
“As a result of the action we took, we are confident that the specific issue that allowed them to scrape this data in 2019 no longer exists.”
Mr Clark added that “scraping data using features meant to help people violates our terms” and that the social network had teams across the company working to detect such behaviour.
For a business that’s all about friendships and connections, Facebook has yet again made more enemies insteadIndustry commentator Matt Navarra
Facebook said it was working to get the data set taken down and encouraged users to update the privacy settings around their accounts, including who can see certain information on their profile.
Social media expert and industry commentator Matt Navarra said Facebook’s response failed to show enough empathy to those affected by the breach.
“Facebook’s explanation of it being data scraping, not hacking, is only part of the story here.
“It’s also about the way Facebook communicates. Its tone and demeanour fail to strike the right tone with the victims of the incident,” he told the PA news agency.
“Over 500 million users’ account details are being exploited due to vulnerabilities in Facebook’s systems.
“That’s 500 million users who want Facebook to show some level of empathy, regret, and who want an apology.
“Facebook’s response feels cold, clinical, defensive and argumentative. Almost like it is trying to play down the scale of the incident.
“Starting with ‘we’re sorry’ would have been a good opener.
“For a business that’s all about friendships and connections, Facebook has yet again made more enemies instead.”