Did Facebook downplay the April ’21 data breach in an internal email?
An internal Facebook email, accidentally sent to Belgium-based Data News, has revealed its strategy for dealing with the leaking of account details from 533 million users.
It suggests the social network expected more such incidents and was planning to frame it as an industry problem that was a normal occurrence.
It also said the media attention would die down.
As a result it planned to issue limited statements about the issue.
Facebook’s long-term strategy is to desensitize users about leaked data dumps that were collected through scraping the public portion of the social network.
The plan was revealed after the company leaked to journalists internal communication intended for Facebook’s public relations staff in Europe, Middle East, and Africa.
Facebook’s decision comes after mobile phone numbers and other personal information belonging to about 533 million of its users was published on a hacker forum. Among the phone numbers in the database was that of Mark Zuckerberg, Chris Hughes, and Dustin Moskovitz, three of the Facebook social network founders.
When inquiring about the 533 million data breach, a journalist at DataNews publication in the Netherlands received by accident internal communication from Facebook on how to handle the incident.
According to DataNews, Facebook decided to keep statements at a minimum and wait for media attention to wane. Action in the long run includes dismissing scraping incidents “as a broad industry issue” that occurs regularly.
“Longer term, though, we expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly,” reads the internal communication.
The email also mentions the company’s plan to publish a post about Facebook’s anti-scraping effort and transparency about how the issue is being tackled.
Facebook’s goal with this is to “avoid criticism,” which it has seen plenty for downplaying the seriousness of the 533 million user data leak by labeling it as “old data that was previously reported on in 2019.”
Available below is the full email that DataNews received by accident is addressed to the PR staff for EMEA region. It includes updates on materials released for users and regulators as well as a summary of the interest generated among media publications and social conversations.
Data News also questioned Facebook’s assertion that the problem was discovered and resolved in August 2019, pointing out that ethical hacker Inti De Ceukelaire warned the company two years earlier that it was possible to find someone’s phone number via Facebook.
Mr. De Ceukelaire told the BBC that the leaked memo “revealed what we have suspected for a long time but now it is there in black and white – Facebook cares more about its reputation than informing its users”.
He said that Facebook had attempted to “spin the problem”.
“At first they were completely silent, then they gave the press one sentence about how the data was old and when that didn’t work they started talking about how it was all about scraping rather than Facebook’s own system.”
He added that the data was not old, because phone numbers usually do not change, and also that the original privacy settings for phone numbers were extremely confusing.
