4 min read

Equifax Move Over, Here Comes The Cambridge Analytica and Facebook Scandal!

Featured Image

We've been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches seem to have been falling off lately, other industries like healthcare, research analytics, and financial services have quickly taken their place. Last year was a record breaker for vulnerabilities and data breaches. We thought that Equifax was about as bad as it could get short of an all-out cyber-war. In light of recent events, that opinion now looks optimistic.

What Could Eclipse Equifax?

The big news that has emerged over the weekend and on Monday, March 19th is a breach or theft of data from Facebook by Strategic Communications Laboratories and Cambridge Analytica.  It's not so much the scale of the breaches as Equifax is currently about 3 times larger. It is the very nature and exploitation of the breach/theft. If the reporting on this is accurate, this is far more disturbing than the neglect and apparent incompetence that led to the Equifax breach. The reporting not only hints at neglect and disinterest but carries strong suggestions of criminal activity.  Currently, Facebook is aggressively investigating the incident and Cambridge have denied these claims.

What is certain at this point is that both Facebook and Cambridge need to do some serious explaining.  It's not just that Cambridge took the data but also that Facebook appears to have known and been less than forthcoming about what they knew. There will be multiple inquiries and investigations in many countries. There will also be lawsuits and possibly criminal trials; as well as calls to put limits on tech companies or possibly break them up. Lastly, even if Facebook naively trusted a researcher who lied and cheated, there will be demands for changes.

Another thing that is certain is that Cambridge Analytica's role in the Brexit vote will raise questions in the UK. Their association with the Trump campaign in the 2016 US elections and connections to political figures like Steve Bannon, a one-time VP with Cambridge, and Donald Trump will further intrigue and add fuel to the already fragmented US political scene. Reporting indicates the Muller investigation will also be looking into Cambridge.

Finally, investigative journalists in the UK went undercover and have video of Cambridge executives talking about setting up opponents to look like they're corrupt or involved with prostitutes and leaking videos on the Internet. Cambridge is denying it, claiming it was a setup and that they were lured into a "hypothetical discussion."

Taken together and if accurate, Cambridge may have gone far beyond just targeting election ads. They may have actively manipulated and deceived the public. They may possibly be real "fake news."

Based on what has been reported to date, if accurate, we'd be surprised if Cambridge Analytica can survive as a company. Facebook too may be wounded even if it is too large to be killed. Even if the US doesn't take action against Facebook, other jurisdictions can.  Several states with breach disclosure laws may act and the EU already has a tense relationship with Facebook.

One thing that is certain is that there is a lot more to this story and we will be hearing about it for a long time to come. What follows is a summary of news articles which should get you started.  Keeping up on this will surely challenge everyone given the rate of new articles that keep appearing.

What Has Been Reported?

Cambridge Analytica, Strategic Communications Laboratories, and SCL Elections (all related) used a personality app to profile approximately 270K Facebook Users, using a further "loophole" they were able to gather information on another 50M users without asking for any consent, these were in turn used to generate over 30M psychographic profiles.  The company has further been denying this for years.

Facebook denies this was a breach, confirms that Cambridge stole it's data, and shuts out the whistle-blower, Strategic Communication Laboratories, and Cambridge Analytica

Some background

Not to be confused with ...

This Week's [in]Security - Issue 271

Welcome to This Week’s [in]Security. Non-Compliance Lesson, DSSv4 related, Skimmers, Other Payments. New breaches: 7 breachers per capita, Shields &...

Read More

Non-Compliance Lesson No. 4: Keep your head in the cloud when adopting new technologies

PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.

Read More

“Follina” – Critical Zero-Day Exploit for Microsoft Products


Over the past holiday weekend, a tweet from Tokyo-based security researcher “nao_sec” first identified an interesting upload to antivirus...

Read More