Fifty Million Facebook Accounts Compromised: Is There any way to Keep our Data Safe?

October 2, 2018

Another major data breach was reported on Friday, September 28th, when Facebook disclosed that nearly fifty million user profiles had been hacked. Facebook’s investigation is in the initial stages, and thus details are sparse, but the following is known. Hackers were able to steal “access tokens,” which are essentially digital keys that allow users to stay logged into Facebook without having to re-enter their password. The hackers were able to steal the access tokens through a weakness in the code related to Facebook’s “View As” feature. The View As feature allows users to visualize how their profile appears to other users, such as particular friends, friends of friends, or the general public. Once equipped with these access tokens, hackers are able to take over user’s accounts, and although not verified yet, possibly access much of a user’s profile data.
News of this significant data breach at Facebook would be unsettling if it was an anomaly, but, when viewed in context of the long line of major data breaches over recent years, it is truly chilling. Over the last decade there have been major data breaches in both the private and public sector. A few of the most significant are described below.
Concerning the public sector, a few years ago there was a data breach in the United States Office of Personal Management (OPM). The OPM is essentially the human resources office for the federal government and therefore contains extremely sensitive data on approximately twenty million federal employees, such as security clearances, personal finances, and psychiatric records. The private sector has faced even more significant data breaches. Two of the most significant are the Yahoo breach and the Equifax breach. In the Yahoo breach, which is the largest in history, three billon user accounts were compromised. The Equifax breach compromised Social Security numbers, birth dates, addresses, and, in some cases, driver’s license numbers for one hundred thirty-four million consumers.
The data breaches listed above are some of the biggest and most damaging in recent years, but they are not the alone. Other significant data breaches have occurred at such places as Adult Friend Finder, Anthem, eBay, JP Morgan Chase, Home Depot, Target, Adobe, Sony’s PlayStation Network, RSA Security, Heartland Payment Systems, TJX Companies, and Facebook. In short, it is likely that virtually every individual in America has had their personal data compromised in some way.
The recent Facebook data breach, especially viewed in the context of past data breaches, is a stark reminder that all individuals must take proactive steps to protect their data. Although at least some of your data has likely been compromised at this point it, this is no excuse for handing over the rest of your data willingly. There are countless steps that can be taken to protect your data, but there are at least four steps that every individual should take. First, not only should you password protect everything possible, but you should also use complex passwords that are different for each login. Considering the number of logins each individual has in today’s world, you should consider obtaining a password manager app in which all your passwords and logins can be securely stored. Second, whenever possible, use two factor authentication. Two factor authentication requires a second form of authentication (other than a password) to access an account and ensures your data is secure even if a hacker compromises your login credentials. Third, always connect to a secure password protected Wi-Fi network. If you must use a public Wi-Fi network, do so through a Virtual Private Network (VPN). Fourth, consider freezing your credit. Freezing your credit stops transactions that require credit approval from going through, unless you unfreeze your credit prior to the transaction.
The above steps will help ensure that your personal data will be protected from data breaches, but they are, unfortunately, not enough. Currently consumers do not have adequate tools at their disposal to more fully protect their data. Nor is the current regulatory scheme sufficient to protect against data breaches. Therefore, it is time for lawmakers to step in. Lawmakers should tackle data protection through a two-pronged approach. Under the first prong, lawmakers should set strict security standards for managing personal data that all public companies and governmental agencies must follow. This legislation could build on current legislation such as the Internet of Things CyberSecurity Improvement Act of 2017, which aims to set security standards for web connected products that are sold to federal agencies. Under the second prong, lawmakers must give individuals effective tools for combatting misappropriation of their data once it has been compromised. An example of this prong was put into effect recently in new financial legislation, which required that individuals could freeze their credit for free. Lawmakers will never be able to stop all data breaches, but smart legislation combined with proactive individuals will go a long way in curbing both the number and effect of data breaches.