The data of 533 million Facebook users was discovered to have been uploaded to a hacking forum, and the company’s blasé response is raising some hackles. It also raises important points about crisis communications. A “nothing to see here” attitude usually doesn’t cut it, and it doesn’t here.

Hudson Rock, a cybercrime investigative firm, revealed on Saturday that the data was posted and now freely available. The information includes Facebook IDs, names, genders, birthdates, locations, some email addresses and more. Most importantly: phone numbers.

At first, we didn’t have much in the way of official word from Facebook, a company not known for its nimble crisis response.

“This is old data that was previously reported on in 2019,” Liz Bourgeois, Facebook’s director of strategic response communications, tweeted in reply to media stories on Saturday. “We found and fixed this issue in August 2019.”

So it turns out it’s “old data.” That’s a relief.

Customers, Subscribers

The folks at Facebook aren’t grasping that, while it may be old news to them, it’s new news to many others, and it is news that the information is now easily and freely available in one convenient spot. We’re willing to bet a lot of Facebook subscribers might be a little concerned. The point in crisis communications is not what you think of a situation, but what your customers (or users or subscribers) think.

It also doesn’t seem right to imply the data is stale. People tend not to change their email addresses — or their names. Cybercrime experts have pointed out the information is useful to evil doers. Mobile phone numbers are great for spam and scams, whether voice or text, and to gain access to someone’s other accounts (via two-factor authorization, for example).

“Such information is a goldmine for scammers,” The Washington Post quoted one privacy expert.

This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019. https://t.co/mPCttLkjzE

— Liz Bourgeois (@Liz_Shepherd) April 3, 2021

On Tuesday, Facebook Product Management Director Mike Clark finally addressed the issue in a blog post. He basically expanded on what the company’s tweets said. While the post had the same we’re-not-concerned tone, it did show a little empathy for its subscribers. “We have teams dedicated to addressing these kinds of issues and understand the impact they can have on the people who use our services,” Clark wrote.

Some Skepticism

His explanation about how the data (and what data) was accessed is meeting with some skepticism.

Facebook’s reaction is an all-too-familiar one: We’re in the right, our subscribers are idiots and there’s nothing to worry about. But people don’t react intellectually to crises; they react emotionally. Companies need to realize that.

At the very least, in the wake of the data posting, Facebook should have been quicker to notify users to be extra vigilant about cyber scams. In other words, it should aid subscribers in doing their own crisis preparation.

Image Credit: rvlsoft/Shutterstock

Sign up for our free weekly newsletter on crisis communications. Each week we highlight a crisis story in the news or a survey or study with an eye toward the type of best practices and strategies you can put to work each day. Click here to subscribe.