New Facebook data breach may include messages of 48 million users, House of Commons committee told

Editor’s note: More details on the data breach mentioned by UpGuard’s Chris Vickery have been made available. The data breach involves a business search service, LocalBlox, which included some publicly-available Facebook information that was scraped. Read the full explanation here. 

The cyber security firm that uncovered a data breach involving a B.C.-based firm with links to Cambridge Analytica is aware of another Facebook data breach that may involve the private messages of as many as 48 million users, according to Chris Vickery, director of cyber risk research at UpGuard.

Vickery told the Standing Committee of Access to Information, Privacy and Ethics about the breach on Tuesday morning without offering many details. The purpose of the committee meeting was the breach of personal information involving Cambridge Analytica and Facebook. An investigation being conducted by the Privacy Commissioner of Canada, in tandem with the B.C. regulator, covers both Facebook and data analytics services firm AggregateIQ.

UpGuard researcher Chris Vickery discovered the AggregateIQ data breach.

“Whatever the most detailed message you’ve sent to a loved one could be stored in a database and tied to your name,” Vickery said, responding to a question about the level of detail involved in a Facebook breach.

Vickery added that he was working on an investigation that included messages and collaborating with a journalist. He clarified later on Twitter that how private or non-private those messages were is yet to be determined.

He also said the journalist he is working with is Zack Whittaker, security editor at ZD Net. Vickery participated in the committee session by videoconference from California.

In response to request for comment from IT World Canada, a Facebook spokesperson guessed that Vickery was making reference to a case involving developer CubeYou, first reported by CNBC on April 8. But Vickery says his investigation is different from the CubeYou situation.

UpGuard has been releasing reports on Vickery’s discovery of an exposed data repository of AggregateIQ. The firm was involved in the U.S. presidential campaign of Ted Cruz, Britain’s 2016 campaign on exiting the European Union, as well as a number of Canadian politicians. UpGuard has linked AggregateIQ to Cambridge Analytica owner SCL through a web domain owned by former SCL CEO Alexander Nix.

Political parties need privacy regulation: Therrien

Also presenting at the committee meeting was Daniel Therrien, the Privacy Commissioner of Canada. He pointed to the recent Facebook breach as proof that stronger privacy laws are needed. Therrien called for the power to proactively investigate companies and enforce privacy law in his annual report last year.

“The time for self-regulation is over,” Therrien said, citing Facebook CEO Mark Zuckerberg’s own admission that mistakes were made, as well as Apple CEO Time Cook’s comments that regulation is needed. “It is not enough to simply ask companies to live up to their responsibilities. Canadians need stronger privacy laws.”

Having the ability to order Facebook to comply with PIPEDA, the law governing Canada’s private sector, would have helped the Office of the Privacy Commissioner following its 2009 investigation, he said. At the time, the office was only able to make recommendations to Facebook for changes to its privacy policies. Whether those recommendations were respected by Facebook will be part of the current investigation, although the office previously said it was satisfied with the social network’s response.

It’s also time to regulate how political parties use personal information in Canada, Therrien said. The Privacy Commissioner currently can’t conduct investigations into political parties at any level of government.

In Canada, only B.C. has laws protecting privacy of information used by political parties. Yet it’s common to see federal regulations in other jurisdictions, Therrien said. There are now many actors in the digital environment around political campaigns, such as marketers, content providers, telecom firms, data brokers, and analytics services.

“This is in my view, a regulatory gap,” he said. “The integrity of our democratic processes and trust in our digital economy are clearly facing significant risks.”

While the use of personal data by political parties should come under scrutiny of regulators, that doesn’t mean it’s always bad, Therrien said. There’s a need for politicians to have intelligent communication with the electorate and know who they are.

The ethics committee has another session planned to review the Cambridge Analytica and Facebook breach on Thursday morning.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Brian Jackson
Brian Jacksonhttp://www.itbusiness.ca/
Former editorial director of IT World Canada. Current research director at Info-Tech

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now