If you’re not already aware of the massive leak of unauthorized personal data via Facebook, please check out some of the news coverage of that here.

In the tweet below, Facebook VP of Consumer Hardware Andrew Bosworth (known as Boz) claims that his company’s most recent data compromise does not fall into the category of a “breach” or “hack”.

Image Credit: CYBERTOUGH™ Staff Researcher

And unfortunately, Facebook VP & Deputy General Counsel Paul Grewal echoes this same sentiment in his most recent update to the company’s own news feed on the subject.

Image Credit: CYBERTOUGH™ Staff Researcher

Sadly though, both Grewal and Bosworth are incorrect to imply that a “hack” must be technical in its’ nature. By definition, hacking is simply the exploitation of a previously unknown means to some end. In this specific case, that end was to psychologically profile of over 50 million individuals without their consent and the means was Facebook’s overtly weak security architecture.

The hack itself was basically just the discovery that the Facebook platform had no safe guards in place capable of detecting or stopping the malicious activities before it was too late.

Just the fact that third party apps have the ability to operate so nefariously should be seen as a corporate governance, risk, and potential compliance issue.

What would be the point of offering features like Facebook Login for Developers if there is more risk than benefit to the end user(s)? The current environment in which these features exist would suggest that they only benefit the companies that develop them and that their use comes at an extreme cost to both ad buyers and ad viewers.

And, let’s consider that while users knew they were providing their Facebook account credentials to a third party, they would have had no way of knowing that the third party was an operator who would in turn egregiously violate the platform’s terms of service.

Both poor governance and the exploitation of public trust in Facebook as a login tool made it possible for this particular app developer to launch their attack on Facebook users. Facebook failed to verify exactly how and why this and many other third party applications would interact with their users data before allowing these apps to “go live” on their platform.

Christopher Wylie, who worked on the University project admits as much saying, “We exploited Facebook to harvest millions of people’s profiles.”

The data was originally collected by a University of Cambridge professor named Aleksandr Kogan for a personality quiz app. He collected the data legitimately at first, but then violated Facebook’s terms by passing the information to Cambridge Analytica.

Cambridge Analytica is now embroiled in controversy and was forced to suspended CEO Alexander Nix who appears in a video obtained by journalists to be suggesting that his firm would engage in coercive tactics and fraudulent activities to sway free elections for their clients. Cambridge Analytica worked with the Trump campaign to sway voters during the 2016 presidential election

In the face of renewed scrutiny, Mark Zuckerberg now says Facebook will audit thousands of apps, something any responsible corporation should be doing all along as part of their third party API governance architecture.