Facebook data leak: What S’pore users need to know

On Thursday (Apr 5), Facebook said in response to media queries that more than 65,000 of its users in Singapore may have had their information “improperly shared” with political consultancy firm Cambridge Analytica, as part of a growing scandal involving the data leak of some 87 million people worldwide. Facebook said it would notify the affected Singapore users, without providing more details.

Experts tell TODAY what are the repercussions of the incident and how Facebook users, including those affected by the data leak, can protect themselves.

1. What should users do?

Dr Steven Wong, president of the Association of Information Security Professionals: “The danger of sharing information on the Internet is that once it is posted, you will have to assume that there is no delete. Thus, if there are any security questions for your bank or email accounts that may be answered by your Facebook posts, it may be good to change those questions or answers. Then moving forward, users need to be more conscious of personal information that they share over social media as these could be easily mined.”

Ms Joanne Wong, Senior Regional Director for Asia Pacific & Japan at LogRhythm: “They can protect themselves from future incidents through: Careful sharing of information on social media platforms, stripping away sensitive information from social media platforms and keeping personal details to the minimum, ‘spring clean’ by looking at apps that have access to their social media profiles and review what information they are asking for, remove apps that are not in use or those that are asking for more information than necessary, be aware of what data third party apps are asking.”

Ms Jennifer Yang Hui, Associate Research Fellow at the Centre of Excellence for National Security: “New users should take time to read through terms and conditions upon signing up for Facebook account. Existing users should also review changes in social media platforms’ terms and conditions as and when they arise. Some users have taken to deleting their Facebook accounts entirely.

Deleting Facebook, however, is not a foolproof method to take back control over one’s data, due to the social media platform’s data retention policies and backups… A less drastic measure may be reviewing from time to time what data they may have shared and deleting older apps that are no longer actively used.”

2. How could Facebook data be used by third-party apps?

Dr Wong: “With the rise in the mining of social data and the advancement in data analytics, many people share information about themselves that, in isolation, seems harmless.

However, when pieced together, this information may reveal personal data that the users are not aware that they have implicitly shared.  A simple example of mining a person’s birthday: Steven has Facebook friends Alex, Andre and Freddy.

Steven allows a 3rd party app to use his ‘friends’ contacts. Steven’s Facebook post on April 5, 2018: ‘Great catch-up over whisky with my old primary six school classmates Alex, Andre and Freddy last night!!! After so long then I discovered that Freddy and I are born on the same day’ Andre’s Facebook post on Jan 1, 2017:

‘Cannot believe it… it has been exactly 21 years since I left primary school!!!’ Freddy’s Facebook post on April 1, 2016: ‘(Singing)Happy Birthday to me… Happy Birthday to me… Happy Birthday to me… Happy Birthday to me!!! Sigh… still single’ Now the 3rd party app has a good idea of Steven’s birthday even though no one actually explicitly shared it.” 

Ms Wong: “It depends on the data they request for. Facebook is changing their policy but third-party apps used to be able to get information from religion to relationship status.

Such information can be used in building digital profiles. Such digital profiles can be used in many different ways such as advertising, personalisation of content or identifying patterns and even preferences in different activities.”

3. What are the larger implications? 

Dr Wong: “We are now living in a digital age where people share more information about themselves across the Internet than they do in the physical world… The cybersecurity concerns are that some of these data, such as age, birth dates, address, favourite food, etc, may also be used for validation purposes by your bank or your internet/email accounts.

Thus, users need to more aware of the privacy and cybersecurity implications of the information they share on social media as these could be mined by cyber-criminals resulting in the loss of sensitive personal data.

The information they share over the Internet might also unintentionally cause the privacy and personal data of their friends to be compromised.”

Ms Wong: “We should always be concerned about what we are sharing online.

This may have been a case of policy breach but the amount of data held by these platforms mean that they are prime targets for cyber attackers.

Organisations ought to have robust frameworks that protect the data they collect while users, or Facebook users in this case, should also always practise vigilance when they allow external parties access to their data. Understand and recognise the risks of sharing your data before going ahead with doing so.”

Mr Foo Siang-tse, managing director of Quann Asia Pacific: “The data has market value in the deep, dark web to build even more complete profiles of individuals, and then used for more targeted attacks, such as phishing.

These attacks could result in data leakage, financial fraud or even identity theft. It could also be used to shape societal views, undermine reputations and perpetuate fake news.

Should such data breaches occur in Singapore, our financial and political stability could be threatened. The lost data can be used to launch spear phishing attacks on high profile targets – or whaling – such as CEOs of large corporations, senior government officials or politicians.”