Facebook exposed private photos from up to 6.8 million users to apps that weren’t supposed to see them, the company said today. These apps were authorized to see a limited set of users’ photos, but a bug allowed them to see pictures they weren’t granted access to. These included photos from people’s stories as well as photos that people uploaded but never posted (because Facebook saved a copy anyway).
“Darktrace’s machine learning approach means that our days of battling cyber-threats at the border are over,” commented Paul Martinello, Vice President of Information Technology, Energy+. “Before deploying Darktrace, we had no way of detecting emerging threats, and we had a reactive approach to cyber defense. The Enterprise Immune System protects our network from the inside out, allowing us to catch even the subtlest and most advanced forms of threat at their earliest stages.”
The exposure occurred between September 12th and September 25th. Facebook toldTechCrunch that it discovered the breach on the 25th; it isn’t clear why the company waited until now to disclose it. (Perhaps it’s because the company was dealing with a separate and substantially larger breach that it also discovered on September 25th.)
Affected users will receive a notificationalerting them that their photos may have been exposed. Facebook also says it’ll be working with developers to delete copies of photos they weren’t supposed to access. In total, up to 1,500 apps from 876 different developers may have inappropriately accessed people’s pictures.
Facebook said the bug had to do with an error related to Facebook Login and its photos API, which allows developers to access Facebook photos within their own apps. All of the impacted users had logged into a third-party app using their Facebook accounts and granted them some degree of access to view their photos.
“We’re sorry this happened,” writes Tomer Bar, engineering director at Facebook. The disclosure comes exactly one day after Facebook opened a pop-up installation in New York to show people how “you can manage your privacy” on the site.
Facebook has been in hot water again and again this year over data breaches and exposures, most notably with Cambridge Analytica. In many cases, the problems haven’t been caused by hackers, but they have stemmed from issues within Facebook itself. The Cambridge Analytica breach happened because of Facebook’s lax oversight of developers and data sharing; today’s issue happened because of another breakdown in communication between Facebook and developers.
Google has already pledged to shut down Google+ over similar issues. Twice this year, the service exposed information inappropriately to developers.
Why companies have a BCM Business Continuity Management plan?
It has been said that an “ounce of prevention is worth a pound of cure.” This advice is especially true when it comes to planning for business continuity during natural disasters. Given the many competing priorities facing company leaders, it can be easy to assume, because severe weather events and natural disasters are rare, that anticipating them doesn’t require immediate attention. But such thinking is effectively gambling with your company’s ability to operate, because if recent history is any guide, severe natural events are now occurring with alarming frequency.
Earlier in January, the United States experienced an Arctic blast that subjected many cities to sub-freezing temperatures for more than two weeks. Simultaneously, a “bomb cyclone” along the east coast of the U.S. left states from Georgia to Maine mired in ice and blizzard conditions. Last summer saw some of the most extreme tropical weather events ever before witnessed in North America when Hurricanes Harvey, Ima and Maria devastated the Caribbean and southeast United States during a single month.
As alarming as the frequency of these extreme events is their severity. When Hurricane Maria made landfall in Puerto Rico, it knocked out power and water to nearly the entire island. Today, roughly 40% of the island still has no electricity. Hurricane Harvey dropped more than 27 trillion gallons of water on Louisiana and Texas; more than 40 inches of rain fell in some areas of Texas over a four-day period. The impact on just one industrial sector was significant: As much as 31% of total U.S. refining capacity had to be taken offline or drastically reduced in the wake of the storm.
Mother Nature is as unpredictable as she is unrelenting, and that is why companies are smart to have in place business continuity management systems (BCM) sooner rather than later.
As we all know, the longer a company experiences downtime, the more money it loses, not to mention reputational damage and loss of market share. Anticipating the likelihood of severe events and mitigating downtime that follows is a wise investment of time and manpower. But it is important not to equate emergency management or crisis response plans to a BCM system. The former are appropriate for specific catastrophic incidents, such as a computer network failure at a power plant, structural failure at an offshore oil rig, or a cyber-attack. While having such emergency management and crisis response plans in place is important, they are different from a BCM plan, which guides the business in the event of a large-scale, long-term disruption resulting from extreme weather and natural disasters – or man-made disasters such as terrorism.
A BCM system is a holistic management process that identifies potential threats and vulnerabilities to a company’s business and operations, develops strategies to make operations resilient to a large-scale event, and employs procedures to quickly restore services and continue operations. This is done through a comprehensive set of arrangements and processes that define specific measures a company can proactively follow to prepare for a crisis or disaster, hopefully prevent some of the worst scenarios, respond during the actual crisis, and effectively manage the long-term recovery (see illustration below). Its purpose is to restore mission critical services and operations following a disruptive event as quickly and effectively as possible.
There are six key steps to building a BCM plan:
Step 1: Establish Planning Roles and Responsibilities
Identifying and understanding who in the company is responsible for specific essential tasks during and after a severe event is critical to effectively responding and recovering from the event.
Step 2: Conduct Risk Assessment
Understanding all the risks that can impact the business during a severe event is critical to effectively managing them. Companies should conduct a thorough risk assessment to identify and prioritize all risks that could arise during a severe event.
Step 3: Conduct Business Impact Analysis
Determining the impacts of all identified risks on specific business processes will help companies to appropriately prioritize available resources to mitigate the loss or disruption of key operations and services.
Step 4: Develop Continuity Strategies
Having plans, procedures and agreements, such as memorandums of understanding with emergency suppliers, in place ahead of time to prevent, detect, respond, and recover from severe events are fundamental building blocks to sustaining operations, no matter the disruption.
Step 5: Plan Testing, Training, and Exercises
There’s an adage in the risk management business that says, “You must test to ensure success.” Once a business continuity plan has been developed, it is wise to take the time to train staff so they are familiar with their responsibilities, and conduct simulation exercises to put the plan into practice so that when a severe event occurs, the company will be prepared.
Step 6: Plan Maintenance
Things inevitably change within a business over time, whether adding facilities, shifting personnel to different locations, or changing suppliers and vendors. It is therefore important to regularly review and update the business continuity plan, ideally whenever there is a change to the business or operations. This will keep companies in the best possible position to manage unforeseen severe events when they occur.
Severe weather events or other disasters that can cause a lengthy disruption in operations are bound to occur, so smart companies are taking the time to plan ahead and anticipate those situations. Having a BCM system in place, and regularly reviewing, updating and practicing it, will help companies weather the storm and resume regular operations – and lose less money – when a severe event inevitably occurs.
Nicholas Bahr is global practice leader for operational risk management at DuPont Sustainable Solutions. DuPont Sustainable Solutions (DSS), a business unit of DowDuPont Specialty Products, is a leading provider of world-class operations consulting services to help organizations transform and optimize their processes, technologies and capabilities. DSS is committed to improving the safety, productivity and sustainability of organizations around the world. Additional information is available at: DuPont
Main Image: Floodwaters left in the wake of Hurricane Harvey–Copyright Scott Olson, Getty Images