Facebook to Irish data body: 533 million user breach took place before GDPR

Facebook has told the Irish Data Protection Commission that a breach involving the personal information of 533 million users worldwide took place prior to the entry into force of the EU's General Data Protection Regulation, and therefore the company 'chose not to notify' the violation to the authorities.

Over the weekend, the personal data of millions of Facebook users appeared on an online hacking forum. [Shutterstock]

Facebook has told the Irish Data Protection Commission that a breach involving the personal information of 533 million users worldwide took place prior to the entry into force of the EU’s General Data Protection Regulation in 2018, and the company therefore ‘chose not to notify’ the violation to the authorities.

Over the weekend (3-4 April), the personal data of millions of Facebook users appeared on an online hacking forum, including phone numbers, Facebook IDs, biographical information, and locations. Some email addresses also appeared to have been scraped.

The figures detail that around 100 million EU citizens may have been impacted by the data leak, including 36.6 million users from Italy, 10.9 million from Spain, and six million from Germany.

In response to the news, Facebook’s communications department said that the data “was previously reported on in 2019” and that the company “found and fixed this issue in August 2019.”

However, speaking to the Irish data protection commission on Tuesday (6 March) – the competent body for dealing with the company’s violations against EU data protection law – Facebook said that it had ‘closed off a vulnerability in its phone lookup functionality’ by April 2018.

The EU’s general data protection regulation (GDPR), which came into effect in May 2018, would have imposed legal obligations on Facebook to notify the competent data protection authority within 72 hours, as well as potentially notifying users without undue delay.

But, “because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” the statement from the Irish data watchdog read.

The statement to the Irish DPC is therefore at odds with the earlier Facebook position, which had noted the vulnerability to be fixed in August 2019 – which would have placed additional legal obligations on the company under the EU’s GDPR.

Contact importer vulnerability

It is believed that the breach to which Facebook refers is a vulnerability in the contact importer feature of the platform, which allowed users to directly find others using phone numbers, across Facebook and Instagram.

A loophole in the system allowed for hackers to imitate Facebook administrators to pair up users to phone numbers.

EURACTIV understands that a sample of the data posted on hacker forums this weekend matches that which had previously surfaced as part of the contact importer vulnerability that was fixed in late August 2019.

For their part, Facebook was keen to inform the Irish data protection body that an ‘extensive investigation’ is underway to get to the bottom of the leak.

“The data at issue appears to have been collated by third parties and potentially stems from multiple sources,” the Irish data protection body reported Facebook as saying. “It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information.”

[Edited by Zoran Radosavljevic]

Subscribe to our newsletters

Subscribe