RealTime IT News

Facebook Gets a Spanking Over Data Loss

Facebook's attempt to get users to reset their e-mail preferences has blown the lid off an an embarrassing loss of user data inside the social network.

When the site recently e-mailed members asking them to reset their notification preferences, bloggers picked up the scent of a possible data loss at Facebook.

"When it arrived in my mailbox, it looked Phishy," wrote Graham Cluley, senior technology consultant at IT security and control company Sophos, in a blog post yesterday.

The e-mail from Facebook to him read: "Unfortunately, the settings that control which email notifications get sent to you were lost. We're sorry for the inconvenience." The note included a link to use to reset members' notification settings.

These preferences tell Facebook what topics members want to be notified of by e-mail and what they don't.

"Somehow, someone at Facebook managed to lose users' settings controlling when they should be emailed," Cluley wrote.

"Now, this isn't like having information about users' identities or credit cards stolen or leaked out onto the net, and there's no suggestion that there is anything criminal going on here, but this is monumentally embarrassing for the social networking giant.

"Because they really did _lose_ information. Permanently. Which means a software engineer on their team must have accidentally damaged or overwritten entries in their database beyond repair. Millions of Facebook users, potentially, will need to go in an reset their settings because of a simple mistake.

While the impact of this data loss was relatively minor, the loss raises larger questions, such as how well Facebook is protecting its members' data.

Facebook has 120 million users worldwide, according to Sheryl Sandberg, the company's chief operating officer, who cited the count at a recent conference.

Facebook did not respond to requests for comment by press time.

Experts agree that the loss of information indicates a breach of elementary database management principles.

"From a datacenter management standpoint, this is a black eye for Facebook," Charles King, principal at Pund-IT Research, told InternetNews.com. "If a mainline retail enterprise like Macy's (NYSE: M) or Costco (NASDAQ: COST) or Wal-Mart (NYSE: WMT) had lost critical user data for their retail customers, heads would roll over this."

Jonathan Bryce, a co-founder of Mosso, Rackspace Hosting's (NYSE: RAX) cloud hosting division, told InternetNews.com that standard practice is to make sure databases are backed up, even on the cloud.

It's not the cloud, it's a fog

More importantly, the data loss throws a weakness in Facebook's IT strategy into plain sight, if a member of the IT staff managed to delete data in a back end database without the approval of supervisors or having to get some sort of clearance.

"It's rather astonishing; the most important and valuable thing Facebook possesses is its data, and to lose some of it is extraordinary and suggests that they don't have proper backup systems in place," said Cluley, who has documented other Facebook issues such as when it accidentally revealed the full dates of birth of many of its members in July of last year.

"Nothing is really in the cloud. Ultimately it's on a computer somewhere and there's no reason why it can't be backed up," Cluley added.

Plus, the e-mail notification looked a lot like spam, at a time when Facebook members are being targeted by spammers. Just a few weeks ago, the social networking site won a record judgment against spammer in Montreal, Canada and vowed to go after others.

"They e-mailed people with a link telling them to log in, and it's a cardinal rule for Internet users to be very suspicious of e-mails telling them some of their settings have been changed and they should log in and check," Cluley said.

"Rather than include a link, they should have told users to log into Facebook as normal and change their settings," he added. "That's just good practice."

Spammers often send out e-mails urging users to click on links to Websites and, when they do, their PCs are infected. Facebook users were hit by a spam of this type in April. That's not all; since July, spammers have been targeting Facebook with the Koobface worm, and in October, they sent out an e-mail containing this worm that invited Facebook users' friends to click on a link taking them to Google Picasa or a shared video in the Google Reader RSS feed aggregation site.

The data loss at Facebook could cost it quite a bit of money: "When you have more than 100 million users and you have to ask a sizeable percentage of them to restore their e-mail preferences, the mop-up is a dirty job," Pund-IT's King pointed out.