Australian cybersecurity start-up UpGuard revealed on Wednesday that information about 540 million Facebook users gathered by the Cultura Colectiva media company was publicly accessible via an unprotected Amazon S3 bucket.
The public records were said to include account names, user IDs, comments, reactions and other information. UpGuard said it emailed Cultura Colectiva about the issue on January 10 and 14. When it didn’t receive a response, it emailed Amazon Web Services (AWS) on January 28 and then again on February 21, as the data remained accessible.
The security firm said the data stored by Cultura Colectiva remained available until Bloomberg contacted Facebook for comment on April 3. Then, after months of inaction from both Cultura Colectiva and AWS, information about more than half a billion people was finally taken down. It’s not clear why AWS didn’t remove it sooner.
According to the BBC, Facebook (the company) said that Cultura Colectiva’s decision to store information about its Facebook (the social network) users outside of official Facebook (the platform) servers violated its terms of service. That allowed the company to facilitate the records being taken down from AWS.
This might seem like a victory for Facebook: it was made aware of a company exposing user data and acted swiftly to protect its users. But, just like the Cambridge Analytica scandal, this shows that Facebook struggles to enforce its policies. Cultura Colectiva’s records were exposed for several months after UpGuard's disclouse and who knows how long before that.
Facebook’s platform offers access to more data than most people can fathom. The company is obligated to make sure other companies gather, use and store that data responsibly. Both here and with the Cambridge Analytica scandal Facebook didn’t—and perhaps couldn’t—do that until the issues attracted public scrutiny. (To say nothing of the company’s own mismanagement of user data.)
The revelation was part of a larger UpGuard report about how companies often fail to secure information stored with AWS. The security firm discovered another company, At The Pool, exposed data about 22 million of its users via the service as well. And the list doesn’t stop there.