The cyber security firm that uncovered a data breach involving a B.C.-based firm with links to Cambridge Analytica is aware of another Facebook data breach that may involve the private messages of as many as 48 million users, according to Chris Vickery, director of cyber risk research at UpGuard.
Vickery told the Standing Committee of Access to Information, Privacy and Ethics about the breach on Tuesday morning without offering many details. The purpose of the committee meeting was the breach of personal information involving Cambridge Analytica and Facebook. An investigation being conducted by the Privacy Commissioner of Canada, in tandem with the B.C. regulator, covers both Facebook and data analytics services firm AggregateIQ.
“Whatever the most detailed message you’ve sent to a loved one could be stored in a database and tied to your name,” Vickery said, responding to a question about the level of detail involved in a Facebook breach.
Vickery added that he was working on an investigation that included messages and collaborating with a journalist. He clarified later on Twitter that how private or non-private those messages were is yet to be determined.
I need to clarify this. There is a separate situation involving 48 million individuals that is being ironed out. I want to be clear I stated that *messages* are present. Their private or non-private nature is yet to be fully determined.@zackwhittaker will break that story.
— Chris Vickery (@VickerySec) April 17, 2018
He also said the journalist he is working with is Zack Whittaker, security editor at ZD Net. Vickery participated in the committee session by videoconference from California.
In response to request for comment from IT World Canada, a Facebook spokesperson guessed that Vickery was making reference to a case involving developer CubeYou, first reported by CNBC on April 8. But Vickery says his investigation is different from the CubeYou situation.
UpGuard has been releasing reports on Vickery’s discovery of an exposed data repository of AggregateIQ. The firm was involved in the U.S. presidential campaign of Ted Cruz, Britain’s 2016 campaign on exiting the European Union, as well as a number of Canadian politicians. UpGuard has linked AggregateIQ to Cambridge Analytica owner SCL through a web domain owned by former SCL CEO Alexander Nix.
Political parties need privacy regulation: Therrien
Also presenting at the committee meeting was Daniel Therrien, the Privacy Commissioner of Canada. He pointed to the recent Facebook breach as proof that stronger privacy laws are needed. Therrien called for the power to proactively investigate companies and enforce privacy law in his annual report last year.
“The time for self-regulation is over,” Therrien said, citing Facebook CEO Mark Zuckerberg’s own admission that mistakes were made, as well as Apple CEO Time Cook’s comments that regulation is needed. “It is not enough to simply ask companies to live up to their responsibilities. Canadians need stronger privacy laws.”
Having the ability to order Facebook to comply with PIPEDA, the law governing Canada’s private sector, would have helped the Office of the Privacy Commissioner following its 2009 investigation, he said. At the time, the office was only able to make recommendations to Facebook for changes to its privacy policies. Whether those recommendations were respected by Facebook will be part of the current investigation, although the office previously said it was satisfied with the social network’s response.
It’s also time to regulate how political parties use personal information in Canada, Therrien said. The Privacy Commissioner currently can’t conduct investigations into political parties at any level of government.
In Canada, only B.C. has laws protecting privacy of information used by political parties. Yet it’s common to see federal regulations in other jurisdictions, Therrien said. There are now many actors in the digital environment around political campaigns, such as marketers, content providers, telecom firms, data brokers, and analytics services.
“This is in my view, a regulatory gap,” he said. “The integrity of our democratic processes and trust in our digital economy are clearly facing significant risks.”
While the use of personal data by political parties should come under scrutiny of regulators, that doesn’t mean it’s always bad, Therrien said. There’s a need for politicians to have intelligent communication with the electorate and know who they are.
The ethics committee has another session planned to review the Cambridge Analytica and Facebook breach on Thursday morning.