Data breach hit over 5.6 lakh Indian users, 87 mn worldwide: Facebook

Private data of over 5.6 lakh Indian Facebook users was compromised by a private marketing firm that later sold the personal details acquired through a quiz app to Cambridge Analytica, a UK-based company at the centre of a global privacy breach storm.

The social media giant informed the Indian government on Thursday about the details of compromised accounts in response to a notice over the user data breach and details of the steps Facebook was taking to ensure safety and prevent misuse of personal data.

A Facebook spokesperson, sharing the response with IANS, said a possible breach of data of 562,455 users happened after 335 Facebook users in India installed a quiz app, "thisisyourdigitallife" between November 2013 and December 2015.

The response comes after Facebook Chief Technology Officer Mike Schroepfer in a blog post showed country-specific break-up of people affected by the data breach, saying information of up to 87 million people, mostly in the US, may have been "improperly" shared with the British political consultancy firm Cambridge Analytica.

The app, developed by University of Cambridge psychology researcher Aleksandr Kogan and his company Global Science Research, pulled out data of not only these 335 users but their friends as well as friends of friends also.

Some 335 people in India were said to have installed the app, which is 0.1 per cent of its total worldwide installs. But this information is limited to people who installed the app throughout its lifetime on the Facebook platform -- from 2013 to December 2015 -- when it was suspended from the platform.

"We further understand that 562,120 additional people in India were potentially affected, as friends of people who installed the app. This yields a total of 562,455 potentially affected people in India."

The social media giant, however, did not reveal the identity or locations of these 335 users.

From Monday, Facebook will inform all 562,455 users that their account privacy had been breached through a link at the top of their news feed so they can see what apps they use and the information they have shared with those apps.

Facebook also doesn't know how Cambridge Analytica and Global Science Research used the data of Indian users because the firms are not its downstream affiliates and may have made independent decisions regarding the data they obtained. This, Facebook said, was "not authorize(d) and breached our policies".

The location of those affected has been identified. But Facebook said the location was "not an indication of voter registration, nationality or citizenship and may not, in some cases, indicate actual place of residence".

"We continue to investigate all apps that had access to large amounts of information before we changed our platform in 2014 to reduce data access and we will conduct a full audit of any app with suspicious activity," the spokesperson said.

The spokesperson said protecting data was "at the heart of everything we do" and require the same from people who operate apps on Facebook.

While Facebook says the number of affected users was "over inclusive", Ankush Johar, Director at Infosec Ventures -- security solutions firm -- didn't agree, fearing the actual figure may be "exponentially bigger".

"The quiz app 'thisisyourdigitallife' is not the only application that had hidden data-scraping functionalities and many other apps were exploiting these so-called 'features' provided by Facebook which the company confirmed itself.

"If as small as 350 users in a single app can lead to leakage of over 5 lakh users, the true number can be exponentially bigger than this," Johar said.

--IANS

sar/hs