Facebook's 6-Million-User Breach A Frightening Reminder To Retailers About Data-Sharing Partner Risks

Tools

Retailers who worry about data and PII security issues were reminded Friday (June 21) that they have to worry about not only about their own systems, but the security mechanisms of every data-sharing partner. And given the social media goals of most chains, the fact that it was Facebook fessing up to a 6-million-user data leak didn't help their nerves.

It didn't help matters that Facebook said it discovered the problem the week of June 10, fixed it within 24 hours but didn't reveal the problem until late in the day on June 21. (Want to bury news? Release it at 4:50 PM on a Friday in late June.) Reuters quoted an unnamed Facebook spokesperson attributing the delay to "a company procedure stipulating that regulators and affected users be notified before making a public announcement."

It's not clear how many "affected users" were notified or when, but given the very public nature of Facebook and the fact that nothing was reported until late on June 21, it appears to have been either a small number or they were also not told until very late on Friday.

When Facebook did eventually reveal the breach, they got into fairly decent details about what happened. The details of the breach illustrate how innocuously these problems can crop up and how destructive they can be.

"When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook. Instead, we want to recommend that they invite those contacts to be their friends on Facebook," Facebook's blog post said. "Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional E-mail addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool. "

Facebook said it disabled the DYI tool, fixed the hole and reactivated the system the next day. In the interim, though, things got messy.Facebook said it disabled the DYI tool, fixed the hole and reactivated the system the next day. In the interim, though, things got messy.

"We've concluded that approximately 6 million Facebook users had E-mail addresses or telephone numbers shared. There were other E-mail addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the E-mail addresses or telephone numbers impacted, each individual E-mail address or telephone number was only included in a download once or twice," Facebook's statement said. "This means, in almost all cases, an E-mail address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool. We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing. Although the practical impact of this bug is likely to be minimal since any E-mail address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by."

That's the problem with the ultra-connected world of social media, especially with companies—many of whom have much less sophisticated security mechanisms than Facebook—trying to come up with new and experimental ways to get people to give more information, to be used in as many creative ways as possible.

The real problem is that retailers will be blamed (with one exception) even if the breach was entirely not the chain's fault, nor was it even something the chain could have known about.

The exception would be for those very rare instances where the breached party has stronger name recognition—and was prominently flagged to the shoppers from the beginning of the program—than the retailer. A breach with a Facebook, Google, Visa or PayPal may--just may—get some of the blame for their mishap.

Typically, though, the shopper will see it as having given their information to Walgreens or Target or Macy's and that's where the blame will fall. Will those shoppers stop buying stuff from that chain? If historic consumer shopping patterns hold, absolutely not. But there is a very strong chance that those shoppers willstart holding back data and cooperating less in CRM campaigns.

Ultimately, that could cost retailers a lot more money—and opportunity—than anything else.

What's a retailer to do? Beyond the contractual commitments from partners to adhere to various security requirements sent by the chain, periodic on-site inspections and other audits—albeit unseemly, awkward, time-consuming and expensive—is something to be seriously considered.

First, if you find something, you can both fix it and penalize the partner. But much better is the second reason: the fact that you'll be routinely—and with unannounced frequency—doing inspections will be enough to make the data-partner take your rules seriously.

Heck, if you're going to be blamed for the breach, you might as well as get deeply involved in the process.