Facebook has confirmed almost 50 million of its user accounts have been compromised following a hacker attack on its network earlier this week (25 September).
The company today (28 September) announced attackers had exploited a weakness in its ‘view as’ tool, which allows users to see what their profile looks like to someone else. The ‘view as’ feature has subsequently been temporarily removed from the platform.
Facebook said specific posts containing personal information such as age, gender and location were bugged, however assured users that their password and credit card information has not been compromised.
It is the second time this year that the tech giant has been forced to apologize to users after their personal information was exposed or manipulated. March’s Cambridge Analytic scandal, which revealed the information of up to 87m Facebook user had been passed onto the political data firm without consent, saw a number of advertisers halt their spend with the platform.
Commerzbank, Mozilla and Sonos were among the bigger brands to lead the retreat. The latter went as far as to pull all of its advertising from Facebook, Instagram, Google and Twitter for a week in response. It is currently unclear if any brands will follow suit this time around.
News of the hack comes a day after Facebook admitted advertisers had gained access to user phone numbers and contacts in order to better target consumers.
The Association of National Advertisers (ANA) did not comment directly on the data breach, however resurfaced its response issued in the wake of Cambridge Analytica stating it was "equally applicable to the current situation".
"The ANA wants brands to advertise on platforms that are safe, reach their intended consumers, and ensure brand integrity," it stated in March. "The inappropriate use of information and insight means everyone -- consumers, advertisers, publishers and other stakeholders – loses."
Justin Kennedy, chief operations officer of programmatic ad buying platform Sonobi, stated he believed there to be a potential near-term and a long-term affect on the relationship between Facebook and its advertisers.
"Near-term, this will continue to shine a light on how much advertisers and brands invest into a platform that potentially has issues with security, and if they can lose user data, they can lose advertiser data as well," he said.
"This is just another hit to the reputation of Facebook, which they don't need right now. Longer term, this incident will again spark ideas at the agency and brand level about how they can diversify away from the platform. Additionally, this attack may lead to Facebook restricting or removing access to valuable user data that is part of what makes the platform so efficient from a return on ad spend perspective."
Rachel Aldighieri, MD of the Direct Marketing Association , added: "It is encouraging to see that Facebook have reported the attack promptly and have already begun their investigation into how the breach occurred. It isn’t yet clear how many EU citizens data has been affected but should it come to light that these citizens are among those whose data was breached, Facebook would be subject to hefty fines under GDPR. It appears that the breach was the result of a cyber-attack and not due to negligence, if this is the case then any fines will be proportionate and will take this into account.
“However, fines are just one of the risks to organisations like Facebook. We believe the long-term effects on customer trust, share price and public perception could have more lasting damage.
“Facebook now has the challenge of re-building the trust of its customer base, a job that might be difficult given the events involving Cambridge Analytica earlier this year. To do this, it’s vital that the organisation focuses its efforts around two of the core principles of the GDPR – accountability and transparency. They need to show that they have done everything possible to ensure such a breach won’t happen again.
“This breach appears to have impacted 50 million users of the social network site meaning that a vast amount of personal data is now in the hands of criminals. It is therefore imperative that Facebook are forthcoming in contacting all those affected, provide information on what this breach means for them, and offer support to those who are likely to be very concerned by the news.
“We would encourage any concerned users of Facebook to contact the website through its official channels and also follow the updates that they are likely to provide over the next few days. It is important to remain vigilant in checking your account and bank statements to ensure there’s nothing unusual. There’s no need to panic or cancel cards, but if you do see any suspicious activity we recommend contacting your bank immediately."
Other commentators, however, have predicted the impact will be minimal.
Jeff Ratner, chief media officer at iCrossing, noted that none of his clients have explicitly requested removal them from Facebook this time around.
"There is still faith in the system" he said. "However, today was definitely unsettling. Facebook should be the gold standard of data security."
Brian Wieser, a senior analyst at Pivotal Research, agreed. He said that although the situation is unlikely to impact advertisers "in any meaningful way", "questions about trust and about Facebook’s ability to manage its business well will continue, however, as this incident is illustrative of deeper problems".
He added: "It probably won’t meaningfully impact the brand in the short term."
Facebook is yet to determine who was behind the attack, as well as whether it has affected users in particular locations. It confirmed it has notified law enforcement of the incident and GDPR's enforcement body in Europe.
The UK's Information Commissioner's Office stated its intent to make "enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected".