Major parts of this event involves certain political actors from the United States, we will not be discussing that aspect and will focus on the cyber security implications in this article.

Facebook, one of the largest social media firms, is now in the spotlight after details have been revealed of a data leak to behavioral analytics firm Cambridge Analytica. On Friday March 16th, the Deputy General Counsel of Facebook issued a statement that Cambridge Analytica and SCL Group were now suspended from any further data collection. News reports started coming out that night alleging that 50 million profiles had been harvested from their data mining activities. The following day Facebook updated the post stating that this did not constitute a data breach since “People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.” However, reports from employees and even the co-founder of Cambridge Analytica tell a story of how a group of 270,000 users consented to having their data harvested. However, that data included their friend’s data whom did not consent. The larger pool resulted in a total of 50 million raw profiles having their data used by a third party, of which only 0.0054% of those users agreed to such activity. Politics aside, this will have some serious implications for cyber security going forward as it has impacted not just the United States but the United Kingdom as well.

What Happened

Christopher Wylie, the whistleblower of this security incident, has been very blunt about what happened and makes clear that that this story started back in 2014. A startup known as Cambridge Analytica was seeking to get into the world of political data. They had acquired funding from investors in the amount of $15 million and hyped up their premier product, voter personality identification and behavior influence. This of course was a bold claim and with no actual product to show they only had their word. Cambridge Analytica could not deliver their promised product because they had no data to work with. This means they had to be creative with how they obtained such a large amount of data.

This is when one of the original employees of Cambridge Analytics, Christopher Wylie, and Alexander Nix, CEO of Cambridge Analytica, had assembled a team of psychologists and data scientists from Cambridge University to develop the product. The goal was to build psychological profiles based on data, that was at the time unspecified. Normally psychological profiles and voting predictions are built on purchasing behavior. Mr. Wylie had gained interest in some newer methods from Cambridge University’s Psychometrics Centre. They had figured out a way to map personality traits based on Facebook Likes. The Centre had gathered information through a Facebook app they developed where they paid users a small amount of money to take a quiz while allowing the Centre to mine private data from the user and their friends. This is important later on. Despite this research and app being the missing link, Mr. Wylie needed the Psychometrics Centre, and they refused to work with Cambridge Analytica. There was a rouge professor who did agree though, Dr. Kogan. The professor made a duplicate app for Cambridge Analytica under the agreement that he could also keep a copy of data for his own research purposes. It would seem according to Facebook’s statement that they were under the assumption that the data was only used for research purposes and not being given to a third party. The amount of people who consented to have their data mined, as stated above, was 270,000.

At first one would wonder how 270,000 people consenting would lead to 50,000,000 profiles being created by Cambridge Analytica as a result. According to Pew Research back in 2014 when all of this was happening, roughly 15% of users had more than 500 friends. Some quick math, 15% of 270,000 is 40,000. Multiplied by 500 that gives you a total of 20,250,000. That small percentage alone already accounts for 2/5th of the data. Given that the app provided access to mine data of the person and all of their friends 50,000,000 becomes a very reasonable number.

Why Is This Important: Access & Ownership!

What is happening right now is bringing up an important conversation about third party access and accountability. Facebook claims that there was no data breach because their security systems did not fail. However, the conversation that has seemed to upset the public is that data was mined without their consent. Facebook Likes on the surface may seem benign; however, the data was actionable to a third party, which has had far reaching impacts socially. This is a lesson that not just Facebook but any other company can learn from. Just because the data is not traditionally labeled as sensitive does not mean that the data is harmless.

Expect in the coming days a reignited debate about who owns the data, a platform or the individual. People will challenge Facebook’s claim about security and keeping their data secure. The fact that the data was accessed and mined by legitimate means does reflect well to the public. This story is still unfolding and Facebook’s response may shape cyber security definitions of ownership and access going forward. IT Security Central will be keeping a close eye on this as it develops. Click below to learn more about Teramind.

Insider Threat Detection