Posted by Nick Hayes on February 19, 2013
Facebook made headlines last Friday with its announcement that it had been the victim of a sophisticated security attack. All major news publications picked up the story, citing widespread concern about the implications of the breach.
The breach itself, however, was largely a nonevent from a security standpoint.
Facebook identified the security breach before it infiltrated too deeply into company systems, remediated all compromised machines, informed law enforcement, and reported the Java exploit to its parent owner Oracle – acting quickly and appropriately. Most importantly, Facebook made it clear that the breach did not expose any of its users’ data.
In spite of Facebook’s quick response and the relatively minor impact of the breach, it was still a huge news event because it was Facebook. Some security analysts went as far as to classify the reaction from the press as “irresponsible” journalism. Especially considering that Facebook is only one of a growing list of prominent organizations that have announced security breaches in the past month (a list that includes organizations such as Bit9, The New York Times, The Wall Street Journal, and Twitter), it’s interesting that Facebook’s breach became the big story that it did. For example, Twitter’s security breach potentially exposed user data for approximately 250,000 accounts. LinkedIn faced a breach last summer that also compromised a large number of member passwords. Facebook’s breach compromised ZERO.
So why all the headlines about a relatively harmless event?
It’s actually all about the “could haves”: the potential impact a major security breach could have on Facebook, the implications it could have on the way consumers engage on the social network, the impact it could have on Facebook’s bottom line. Facebook’s reputation and business model rely heavily on one thing in particular – consumer trust – and that trust appears to be wavering.
Even before last week’s breach announcement, recent data trends point to users decreasing the amount of time they spend on the site and that people are even beginning to abandon Facebook in "droves." Other recent articles offer advice on how Facebook users can minimize the amount of information they share and reduce their exposure in the case of a breach (such as this article, which came out a week before Facebook’s breach announcement).
At the same time, Facebook continues to ask people to do the exact opposite: use the site more frequently, share more information about themselves, check-in at local coffee shops, use mobile payments, etc. – all of which is critical to Facebook’s efforts to monetize its product and bring value to the company. But the more Facebook seeks ways to embed itself further in consumer lives, the more personal information there is on the site that can put these same consumers at risk. With the stakes as high as they are today, even relatively minor breaches such as this one will garner lots of attention.
Facebook dodged a bullet this time, but it can’t remain complacent. One major security breach could fundamentally alter the way people interact on the social network, diminish their willingness to share even basic personal information, and may be reason enough for them to leave Facebook altogether.
One thing from this breach is very clear: Facebook’s reputation and business model are on the line now more than ever before. Consumer trust is one thing the social network can’t afford to lose.