Facebook has not disclosed how many Indian users have been impacted in the breach as it is still investigating the matter.
Ten days after Facebook CEO Mark Zuckerberg announced that the data of 50 million users had been exposed following a massive security breach, it is yet to disclose the full impact on Indian users.
Last week, the IT Ministry had to ask to the Silicon Valley firm for an update on country-specific impact. On the other hand, in adherence to the stricter privacy laws in the West, Facebook had reportedly reached out to regulators in the US and Europe immediately to report the hack.
Citing experts, The Economic Times reported that although the domestic IT Act requires intermediaries such as Facebook to report any cyber-attack, these provisions are not being implemented. Moreover, a data protection law in the country would have deterred companies from delaying the information to the government in this manner.
“Any breach that impacts Indian users have to be reported immediately to the regulator, in this case CERT. The existing IT Act has those provisions,” Pavan Duggal, cyber law expert, who worked on India’s cyber law, told the daily.
He added that while the right to privacy has been mandated by the Supreme Court, it is applied only for state actors and not private entities such as Facebook. “A privacy law would make it all encompassing bringing all private companies that has any connection with an Indian user,” said Duggal. Facebook has an India entity and is governed by local laws of the country.
According to the Irish Data Protection Commission, less than 10% of the 50 million users in the region have been impacted in the breach. But given that India is Facebook’s biggest user market with 270 million users – around 13% more than the next biggest market, the US – the impact could be wider at home.
According to the daily, Facebook has not disclosed how many Indian users have been impacted in the breach as it is still investigating the matter. “We are still working through the details of impacted users in India and will release more information once we have concluded our investigations,” a Facebook spokesperson told PTI last week. “We are in touch with Government of India, to share preliminary information about the security issue we announced on September 28. We have taken immediate action and informed all our users, advertisers and secured their accounts.” It logged out the 50 million affected users and an additional 40 million after the revelations.
In a conference call with reporters late last month, Zuckerberg had disclosed that the company’s engineering team discovered the security breach on September 25. “The attackers exploited a vulnerability in the code of the ‘View As’ feature, which is a privacy feature that lets people see what their Facebook profile would look like to another person,” he explained, adding that the hackers had tried to access profile information fields like name, gender and hometown, but “we do not yet know if any private information was accessed that way”.
Earlier in the year, too, Facebook had courted controversy when data mining firm Cambridge Analytica was accused of illegally harvesting personal data of 87 million global users of the platform to influence polls in several countries. The company had drawn flak from policymakers across the world for this. The Indian government had shot off two notices to Facebook over the incident and in response to the first one, Facebook had admitted that nearly 5.62 lakh people had been “potentially affected” by the breach.