How would you define the term breach?

Is it fair to use the term breach from the perspective of the user whose data has been acquired? Or is breach only in reference to what the company that collected the data intended to do with it?

There’s also seemingly two types of breaches at play: 1. The idea of a security breach, where a company gets “hacked” 2. The idea of a breach of trust, where people had given a company data in good faith that it would not be abused, and then had it abused, even going against that company’s TOS

This is the difficult question at the heart of the matter. Certainly I am accustomed to hearing "breach" in the context of a "security breach," in which a third party accesses data without authorization by circumventing technical measures restricting such access. In this case, there was no such security breach. The Facebook API worked as designed, and returned all data according to spec, TOS, and API documentation.

The case of a "breach of trust" is a different story, and the problem emerges when you realize that what defines "private data" (the plunder from a breach) is nothing more than an arbitrary set of restrictions, set forth by the platform producing the data itself. Without Facebook, none of this data would exist. Without the Facebook API, no app would be able to collect this data within a sanctioned platform.

Because Facebook exists, and because Facebook offers an API to its data, Cambridge Analytica was able to collect "private data" on users. But it never needed to circumvent any technical barriers to collecting the data it extracted. The Facebook API and platform willingly supplied the data to Cambridge Analytica, as it did and does to thousands of other apps.

If it constitutes a breach that Facebook supplied that data to Cambridge Analytica, then there must exist some "bug," technical or not, that Cambridge Analytica exploited to gain access to the data. What is the bug? Can Facebook identify it, document it, and rectify it? If not, can Facebook really classify it as a breach?

The fact is, there was no bug. The Facebook API and platform worked as designed and documented, and supplied all data as expected to Cambridge Analytica, along with user authorization to supply that data.

If Facebook were to classify this as a breach, they must also point to the "bug" or "vulnerability," or whatever they want to call this, that enabled and precipitated the breach. Unfortunately, there is nothing for Facebook to point to, because the real vulnerability is the system itself. Facebook created an ecosystem of private data, and Facebook defined the boundaries for access to it. Facebook cannot claim an app, that was explicitly within the boundaries of its ecosystem, utilized the Facebook API in a way that constitutes a "breach." Facebook is the only entity in control of the boundaries defining a breach, or what exactly constitutes "private" data, so trying to call this a "breach" is like changing the rules mid-game.

There is (or was) a “bug” in the business logic, as is now apparent. Assuming it is the case that CA gained access to this information by lying, it means there were inadequate safeguards in who could access. The data. The only reason you could say this wasn’t a “breach” is because FB had engineered virtually no safeguards against this type of deceptive use of user data.

By design vulnerabilities are always the best!

Where does a Terms of Service violation fall in all of this? Because CA clearly violated the ToS.

Right, "breach (of trust)" is the terminology getting bandied about, and is absolutely more accurate, but I think it still obscures the issue.

We have a term for what happened: Piracy. It wasn't "theft", since the original is still there. They made and now use an unauthorized copy. In gaming and software, ignoring or working around reversible security mechanism and violating agreements is called piracy.