Hacker News new | past | comments | ask | show | jobs | submit login

Breach doesn't imply a mistake.

Anyway, the idea here is that CA breached Facebook users personal data by methods quite similar to phishing and FB look the other way. Not necessarily by design but maybe by a desire to exploit the platform as much as possible so that did not get in the way of people who were doing interesting things.

We all know what a data breach is, calling this a data breach is playing fast and loose with the term.


Look at all the examples of a data breach in this wiki. The CA/Facebook incident looks nothing like them.

CA either paid facebook to collected data through apps or scraped data from public profiles. Maybe the CA/facebook incident will change what we consider "breach" to mean but right now "unauthorized collection of public data to create a political profile of users" is not a data breach.

The first sentence from your link: "A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment."

Sounds like exactly what happened with CA and FB. People came for friends and fun personality tests, their information got into the hands of a propaganda machine. Definitely a breach.

As for the examples, do you want me to edit the Wikipedia article and add the CA/FB incident?

Based on many of the comments in this thread I don't see how you could say it "sounds like exactly what happened with CA and FB." Debatable maybe. Clear cut, obviously not.

And as for your glib comment on editing the wiki article, you should read more carefully what I said. My argument was that the numerous examples of a breach in that wiki do not fit the CA/FB incident. Adding the incident to the list would do nothing to dispute that point.

The definition from the Wikipedia article certainly does match this incident.

The comments on this thread aren't generally dealing with the question of the applicability of that definition so brining that up doesn't help you.

I guess you're really trying to get at is that you disagree with that definition. That's fine. But it's a very weak argument to appeal to an authority and then disregard the authority where it contradicts your position.

Maybe you need to edit the Wikipedia article ;)

BTW, not sure if this is the part you don't like, but the distinction between intentional and unintentional is tricky. For one, we'd have to pin down whose intentions we're talking about (the people controlling the data store that has been breached, or the people's whose private information has been taken). Then, peer into the minds of people we don't know or, worse, try to determine intention for a corporate entity. If intent is part of the definition of a breach then it would demand a lot of assumptions to be applied (or some kind of long, expensive process like an investigation and trial).

In the end, the impact on the people's whose private information was taken is the same: their private information has been taken, en mass, without their permission, by someone they don't know, for purposes they don't know.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact