Irish DPC says Facebook data leak affects “significant number" of EU users

The regulator is investigating the data leak involving the personal details of 533 million users

Ireland’s Data Protection Commission (DPC) is investigating the Facebook data leak involving the personal details of 533 million users.

The DPC, the Irish supervisory authority responsible for monitoring the application of GDPR, stated that of the 533 million individuals caught up in the leak, a “significant number” are EU users. It also said that much of the data appears to have been scraped some time ago from public Facebook profiles.

The DPC also explained that previous datasets were published in 2019 and 2018 and related to a large-scale scraping of the social media giant’s website, which Facebook advised occurred between June 2017 and April 2018, when it closed off a vulnerability in its phone lookup functionality.

“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” wrote the DPC.“The newly published dataset seems to comprise the original 2018 (pre GDPR) dataset and combined with additional records, which may be from a later period.”

The DPC stated it had attempted to establish the full facts of the leak and is continuing to do so, although it has received “no proactive communication from Facebook”.

After the DPC contacted Facebook “through a number of channels”, the social media giant stated that the information in the dataset was publicly available and scraped prior to changes made to the platform in 2018 and 2019. 

“As I am sure you can appreciate, the data at issue appears to have been collated by third parties and potentially stems from multiple sources. It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information,” Facebook told the DPC.

Furthermore, the DPC said that some of the records released on the “hacker website” contain phone numbers and email address of users, which creates risks for users who may be spammed for marketing purposes.

Facebook stated in a blog post that it believes malicious actors used the organisation’s contact importer to scrape data from users’ Facebook profiles prior to September 2019. 

“Through the previous functionality, they [malicious actors] were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords,” it stated.

Have I Been Pwned, a free service created by security blogger Troy Hunter, has added phone number functionality to its database to allow users to see if their personal numbers have been exposed in the latest Facebook data leak.

The data of 533 million users was published by a hacker on a low-level hacking forum over the weekend. The data was available to be downloaded for free and allowed anyone to look up a Facebook user’s record using their phone number. The records, which represented around a fifth of the company’s entire user base, contained phone numbers, full names, birth dates and more.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Russia launched over a million cyber attacks in three months
hacking

Russia launched over a million cyber attacks in three months

13 Apr 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021