Over the past year, news outlets have been buzzing about Facebook, now called “Meta”, collecting vast amounts of data from healthcare organizations and tax return companies. Some of these companies are announcing breaches as a result of this data collection.
Why are Companies Sending Sensitive Data to Facebook?
Let’s be clear – Companies are not trying to send their sensitive information to Facebook. Companies are NOT going to Facebook.com and uploading their customer information. Instead, Facebook is collecting this information via web tracker software that they offer to companies for free to monitor website visitor behavior. Companies invest a lot of resources in their websites to ensure their customers get the best value and can easily navigate their offerings. In order to see how customers interact with their websites, companies install web trackers to monitor button clicks, visitor statistics, navigation errors, and more. Most websites have a method of logging user behavior using trackers that are generally hidden from the website visitor. A couple of the many website trackers include Facebook’s Meta Pixel and Google Analytics. Companies are using it to track basic website visitor information and often times they do not realize that Facebook may be collecting sensitive information.
What is Meta Pixel?
Meta Pixel is Facebook’s web tracker software. Facebook’s Meta Pixel is popular, easy to use, and it’s free. Any company can download the code, install it on their website, and instantly see information about website visitors. Companies can log into a dashboard showing daily website visitor statistics.
Is a Vulnerability in the Meta Pixel Software Causing the “Breach”?
There is no known vulnerability in the Meta Pixel software that is causing the breaches. Instead, companies are announcing breaches because Facebook is not supposed to receive sensitive information. Since Meta Pixel is collecting more information than intended, and Facebook was not authorized to have access to this information, companies are listed it as a breach or a privacy violation.
What Companies are Affected?
The Markup news outlet wrote an investigative report about a number of hospitals that had the Meta Pixel code on their website and their patient protected portals (Feathers, Fondrie-Teitler, Waller, & Mattu, 2022). Some of the affected hospitals immediately removed the Meta pixel software when they realized that it could collect more information than intended. The Markup released another report showing how tax filing websites were sending sensitive tax payer information to Facebook by the same Meta Pixel software (Fondrie-Teitler, Waller, & Lecher, 2022). While the healthcare and financial industries are in the news for these issues, the website tracker breaches surely affect many industries as the Facebook Meta Pixel code is installed on millions of websites.
How is Meta using the Data?
It is unclear how Meta is using the collected data. Facebook itself may not know what it does with this data according to a Vice report based on a leaked internal Facebook memo (Franceschi-Bicchierai, 2022). In the leaked memo, a Facebook engineer stated “We do not have an adequate level of control and explainability [sic] over how our systems use data”.
Number of Individuals Affected
According to the 2023 Velocity Healthcare Breach Report, in the healthcare industry alone, over 6,000,000 medical records were affected in 2022. The affected tax filing companies have millions of customers. The number of affected individuals is most likely much higher and continues to grow as more companies announce that they had the Meta Pixel software on their websites.
What Can Companies do to Prevent this in the Future?
Companies should thoroughly investigate all web trackers to determine how data is utilized before placing the code in production environments. Many companies have methods to perform security evaluations on new third-parties as they go through the procurements system, but this scrutiny is not usually applied to free software such as Meta Pixel or Google Analytics. Companies should ensure that any code changes go through a Software Development Lifecycle (SDLC) that includes a security analysis.
How can Stern Security Help?
Our cybersecurity services team has extensive experience analyzing web trackers and the data that they send outside a customer environment. Additionally, Stern Security’s Velocity application can be used to get your third-party risk management program in order and evaluate vendor solutions for cybersecurity and privacy problems.
Feathers, T., Fondrie-Teitler, S., Waller, A., & Mattu, S. (2022, July 19). Facebook Is Receiving Sensitive Medical Information from Hospital Websites. Retrieved from The Markup: https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites
Fondrie-Teitler, S., Waller, A., & Lecher, C. (2022, November 28). The Markup. Retrieved from Tax Filing Websites Have Been Sending Users’ Financial Information to Facebook: https://themarkup.org/pixel-hunt/2022/11/22/tax-filing-websites-have-been-sending-users-financial-information-to-facebook
Franceschi-Bicchierai, L. (2022, April 26). Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document. Retrieved from Vice: https://www.vice.com/en/article/akvmke/facebook-doesnt-know-what-it-does-with-your-data-or-where-it-goes