Identity Theft Resource Center Responds to the Facebook/Cambridge Analytica “Data Breach”

Share Article

Misappropriation and misuse of user data continues to unfold

It is imperative that any company that collects data be a good steward of that data they’ve been entrusted with, using it as agreed to by those providing the permission

The Identity Theft Resource Center, the nation’s leading source of aggregated data breach analytics and thought leader in identity crime, has responded to the recent developments in the emerging Facebook and Cambridge Analytica situation. The information provided by sources on the misuse of millions of Facebook users’ data cannot be classified as a breach one way or another given the lack of specifics currently available. This focuses the attention on the fact that consumers continue to underestimate the value of their personal identifying information and the potential of what it can be mined to accomplish.

As a leader in data breaches within the US, the Identity Theft Resource Center has reviewed the known information available currently surrounding the specifics of the use of millions of Facebook users’ personal – and potentially private – information that was obtained by Cambridge Analytica. Without transparency from the parties involved as to what components of the user profile were used in the data mining to create the algorithm, the specialists at the Identity Theft Resource Center cannot definitively call this incident a data breach.

A data breach is categorized as a “compromise of user data that included personally identifying information (PII) that was the result of malicious attack or negligence (including employee error or accidental web/internet exposure) on the part of the organization housing the information.” In this case due to the fact that components of some users’ social media profiles could contain personally identifying information (PII) as defined in some states – i.e. email, phone, address, credit cards, etc. - a better standard needs to be created for categorizing these types of events. Additionally, because users provided a limited set of permissions as to what could be used in their profiles and the entities collecting the data chose to exceed their scope of data mining beyond the permissions provided, creating a new standard for this type of intrusion is imperative.

“Social media users fill out their profiles with numerous aspects of who they are,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Many times users do not understand that there can be unintended consequences to adding information to their account. Information like birth date, gender, physical address and phone number can all be a part of one’s personal identifying information (PII) – and can be data-mined by less than ethical organizations looking to exploit the user.”

Some of the information that has yet to be shared by the organizations involved that could put social media users at an increased vulnerability for identity theft include which aspects of the users’ profile were used in the data mining process. Accessing information such as physical address, phone numbers, email addresses, payment methods attached to their social profiles and other information that could be used to assume or create an identity are all part of a user’s Facebook profile.

“It is disappointing that an organization would make agreements with Facebook and subsequently the individual social media users about what information could be used and how, then reach far beyond that agreement,” continued Velasquez. “It’s a blatant violation of the public trust that opens users up to potentially negative consequences. This reinforces the conversation for users to reflect on just how much information they provide on their social media and digital profiles that could unintentionally be used maliciously. It is imperative that any company that collects data be a good steward of that data they’ve been entrusted with, using it as agreed to by those providing the permission. I would encourage both entities involved to publicly disclose exactly what was used beyond the permissions that were given. This will allow those impacted by the misuse of their data to take the next step in deciding how to manage their personal information – giving them the opportunity to implement a remediation plan if they deem it necessary.”

Identity Theft Resource Center also recommends that users of social media platforms review their profiles to see how much personal identifying information is listed and remove data that is not necessary. Users should review their use of social media platforms as payment tools as that information could potentially be accessible to third parties.

If consumers believe that they may have been the victim of identity theft or have questions about how a data breach may impact them, they can call the Identity Theft Resource Center and speak with an adviser free of charge (888.400.5530).

About the Identity Theft Resource Center
Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized nonprofit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cybersecurity, scams/fraud and privacy issues. Through public and private support, the Identity Theft Resource Center provides no-cost victim assistance and consumer education through its call center, website, social media channels, live chat feature and ID Theft Help app. For more information, visit:

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Lelani Clark
Visit website