The events revealed so far in the emerging Facebook and Cambridge Analytica story, may not be a data “breach” but nevertheless serve as a wakeup call to millions sharing personal information.
Following reports that Cambridge Analytica, a data analysis firm reportedly used in the last presidential campaign, acquired and used Facebook data on some 50 million people without their consent, Facebook CEO Mark Zuckerberg acknowledged his company was partially to blame. “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” Zuckerberg wrote in a Facebook post. He added, “It was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.”
Some compared the exposure to a data breach. San Diego-based The Identity Theft Resource Center, which chronicles data breaches, took the extraordinary step by responding to the recent developments in a press release. “The misuse of millions of Facebook users’ data cannot be classified as a breach one way or another given the lack of specifics currently available.” They did warn consumers about underestimating the value and potential mine-ability of their personal identifying information. Eva Velasquez, president and CEO of the ITRC, said. “Many times, users do not understand that there can be unintended consequences to adding information to their account.”
Gene Fredriksen, chief information security strategist for PSCU, pointed out that people might assume the effects from a breach limited to the breached company. “The truth is that the aggregate information from a series of breaches can build an extensive personal profile.”
In the case of Facebook, Fredriksen suggested everyone should consider information in their profiles, discussions in their posts and revelations through their friends list. He added, “Combine the Facebook information with the financial and account information from an Equifax breach and information from a personnel department breach, such as the Office of Personnel Management, and you can build a cradle-to-grave personal history. A treasure trove for anyone wanting to steal identities, commit other kinds of fraud, or simply resell the bundled information to other criminals.”
This situation does not pose specific risks to credit unions as a routine data breach would, John Buzzard, industry fraud specialist, CO-OP Financial Services, observed. “The vast information in play here was digitized and scored into behavioral analysis for the benefit of the third-party research firm and its clients.”
Buzzard maintained this situation really is a great cautionary tale for consumers who willingly overshare their activities and preferences on social media without properly understanding the possible extrapolation of their activity not in tandem with their personal, financial or political views. “This Big Brother scenario, often feared by consumers, rarely gets put at the top of their list of privacy priorities when it comes to online entertainment and communication.”
Buzzard did provide one caution, “Software developers always tell you about the risk in working with a third-party vendor and now, more than ever, we all have to ensure that our data is leveraged and limited to the scope that most reasonably serves our clients and nothing more. We all have to ask better questions and understand where the buck and the data stops.”
Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, said, “There are many dangers to the public, as well as to credit unions, especially those that have pages on Facebook.” Herold maintained credit unions should consider what type of personal details or inclinations are available on pages through comments, posts and activities.
Herold noted “Cambridge Analytica performed big data analytics on all this data, and used new types of artificial intelligence, to gain insights into lives (incomes, locations, race, religion, etc.) of people on Facebook.” Those insights could help in trying to persuade members to buy things or use their information to target them as potential crime victims. “We simply do not know all the entities that now have all this data that they collected.”