Data Loss Prevention (DLP) , Fraud Management & Cybercrime , Governance & Risk Management

Facebook: 87M Accounts May Have Been Sent to Cambridge Analytica

Social Networking Giant Also Says Malicious Actors Scraped Public Profiles
Facebook: 87M Accounts May Have Been Sent to Cambridge Analytica
Sign outside Facebook's headquarters in Menlo Park, California. (Source: Facebook)

Facebook says up to 87 million people may have had their personal details transferred to Cambridge Analytica, a voter-profiling company that denies the data powered digital ad targeting for President Donald Trump's 2016 campaign.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

The figure exceeds the 60 million estimate from a whistleblower who worked as a data scientist at Cambridge Analytica. It is also the first estimate provided by Facebook since the scandal erupted after exposés in The Observer and The New York Times last month.

About 70 million of the users possibly affected are in the U.S., with the remainder in Australia, the U.K., the Philippines, Indonesia, Mexico, Canada, India, Brazil and Vietnam. That could open up Facebook to new probes from regulators in addition to ones under way in the U.S., U.K. and Canada.

The company plans to begin notifying those whose information may have been improperly shared starting on Monday, as well as clearer information about what apps are connected to a person's account.

Starting Monday, Facebook will notify users of apps connected to their account (left) and if their data may have been exposed to Cambridge Analytica (right).

Facebook's Chief Technology Officer Mike Schroepfer relayed the figure at the end of the blog post that outlined nine new data-sharing restrictions. Since the Cambridge Analytica scandal took hold, the company has scrambled to revise privacy settings to reassure users and fend off regulators.

"Overall, we believe these changes will better protect people's information while still enabling developers to create useful experiences," Schroepher writes. "We know we have more work to do, and we'll keep you updated as we make more changes."

Cambridge Analytica: Wrong Figure

Facebook's founder and CEO, Mark Zuckerberg, has taken a chief role in trying to tamp down anger towards the social network. Previous privacy controversies have tended to quickly fade, but this one has endured because of Cambridge Analytica's work with the Trump campaign.

Zuckerberg is expected to appear next week before the House Energy and Commerce Committee on Wednesday and before at least one Senate committee, The New York Times reports.

In an undercover video from broadcaster Channel 4, Cambridge Analytica executives described how they crafted online campaign messages designed to draw in potential Trump voters, giving him an edge in critical states.

But the company, which is owned by British military contractor SCL Group, denies that it used the Facebook user data for its Trump work. In a statement Wednesday, Cambridge Analytica disputed Facebook's figure, saying it only acquired data for 30 million users.

The data came from Cambridge University lecturer Aleksandr Kogan, who ran his own company called Global Science Research. Kogan acquired the data by deploying an app called This Is Your Digital Life on Facebook in 2014.

Aleksandr Kogan (Source: University of Cambridge)

The app purported to be a personality survey, and it was used by around 270,000 people. At the time, Facebook allowed apps to collect personal information not only from direct users of the app but also their friends without consent unless those people had a specific privacy setting enabled. That greatly expanded the reach of Kogan's app.

Kogan sold the data to Cambridge Analytica, which was in violation of Facebook's rules. Facebook had known about the situation since 2015, but only last month banned Kogan and Cambridge Analytica.

Facebook arrived at the 87 million figure by looking at who actually used This Is Your Digital Life and then counting all of those users' friends.

CNN quoted Zuckerberg as saying on Wednesday that "I'm quite confident given our analysis it is not more than 87 [million]. It very well could be less. But we wanted to put out the maximum we felt that it could be as soon as we had that analysis done."

Cambridge Analytica maintains that it deleted the data after Facebook told the company more than a year ago that the information had been improperly acquired.

"When Facebook sought further assurances a year ago, we carried out an internal audit to make sure that all the data, all derivatives, and all backups had been deleted, and gave Facebook a certificate to this effect," the company says. "We are now undertaking an independent third-party audit to demonstrate that no GSR data remains in our systems."

However, the exposes in the Observer and The New York Times reported some of the raw data still exists. That sparked further enquiries from Facebook, and the U.K. Information Commissioner's Office executed a search warrant at Cambridge Analytica's offices.

Tighter Data-Sharing Rules

Privacy advocates have long alleged Facebook allowed too much access to personal data. In 2007, Facebook launched its Platform, a wildly successful program that allowed app developers to tap deep into peoples' online activity. It also grew an immensely profitable targeted online advertising business.

But it's that permissive data sharing that Facebook says it will now pull back from. Many of the changes will restrict access to user data by apps with an eye to ensuring that users are aware and consent.

"Given the scale and sophistication of the activity we've seen, we believe most people on Facebook could have had their public profile scraped in this way."
—Mike Schroepfer, Facebook's CTO

For example, Schroepher writes that as of Wednesday Facebook is changing developers' access to the Events API. When someone granted permission to an app to look at an events page, the app could also collect the full guest list of the event as well as comments on the particular page.

Schroepher also writes that Facebook is making changes as a result of large-scale scraping of people's public profiles.

Facebook's search and account recovery feature allows searches for users based on a phone number or email address. The feature has been embraced by countries where people have longer names, such as in Bangladesh, saving people from having to type full names.

But Schroepher writes that "malicious actors" have been scraping public Facebook data using phone numbers and email addresses they already possess.

"Given the scale and sophistication of the activity we've seen, we believe most people on Facebook could have had their public profile scraped in this way," he writes. "So we have now disabled this feature. We're also making changes to account recovery to reduce the risk of scraping as well."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.