After Facebook found itself embroiled in the Cambridge Analytica data scandal that affected the personal information of 87 million of its users, the company is once again tied to another data breach. This time, Localblox is the culprit.
Like Cambridge Analytica, Localblox creates profiles of individuals using information scraped from publicly accessible sources, like social network profiles on LinkedIn, Facebook, Twitter, and Zillow. Localblox chief technology officer Ashfaq Rahman describes the process to ZDNet as creating transformative intelligence by joining bits and pieces together. A listing on Crunchbase describes Localblox as “a location-based social network that builds scalable neighborhood platforms, aggregating business profiles with metadata.”
Unfortunately for the company, the collected data was stored in an unsecured and unlisted Amazon S3 container, which was discovered by ethical data breach hunter Chris Vickery at cybersecurity research firm UpGuard. The combined files amounted to 1.2 terabytes of storage, and up to 48 million user profiles were kept without a password. Localblox had quickly secured access with a password within hours of Vickery’s notification.
“The data collected includes names and physical addresses, and employment information and job histories data scraped from Facebook and LinkedIn profiles — like dates of birth and other public profile data, and Twitter handles,” ZDNet reported after examining the files Vickery collected.
Rahman disputed Vickery’s reports, claiming that most of the data was fabricated for testing, and that Vickery had hacked into Localblox’s systems.
It’s unclear what legal repercussions, if any, Localblox will suffer as a result of its collection of data without user consent. Facebook, LinkedIn, Twitter, and Zillow all have policies prohibiting data scraping, but there are no laws in the U.S. that allow people to remove their personal data once it has been collected by firms like Cambridge Analytica and Localblox. In Europe, consumers benefit from stricter digital privacy regulations.
When compiled, the scraped data could be used in powerful ways, as Cambridge Analytica has shown with its involvement in Donald Trump’s presidential election campaign.
“The exposed LocalBlox dataset combines standard personal information like name and address, with data about the person’s internet usage, such as their LinkedIn histories and Twitter feeds,” UpGuard wrote in a report. “This combination begins to build a three-dimensional picture of every individual affected — who they are, what they talk about, what they like, even what they do for a living — in essence a blueprint from which to create targeted persuasive content, like advertising or political campaigning. If the legitimate uses of the data aren’t enough to give pause, the illegitimate uses range from traditional identity theft, to fraud, to ammunition for social engineering scams such as phishing.”
In an interview with StreetFight in 2013, Localblox president Sabira Arefin shifted the data protection blame to networks like Facebook, stating, “it is up to the individual sites and system to determine the terms and conditions and then enforce any security mechanism in place if they want to prevent scraping.”