Irish DPC says Facebook data leak affects “significant number" of EU users

The regulator is investigating the data leak involving the personal details of 533 million users

Ireland’s Data Protection Commission (DPC) is investigating the Facebook data leak involving the personal details of 533 million users.

The DPC, the Irish supervisory authority responsible for monitoring the application of GDPR, stated that of the 533 million individuals caught up in the leak, a “significant number” are EU users. It also said that much of the data appears to have been scraped some time ago from public Facebook profiles.

The DPC also explained that previous datasets were published in 2019 and 2018 and related to a large-scale scraping of the social media giant’s website, which Facebook advised occurred between June 2017 and April 2018, when it closed off a vulnerability in its phone lookup functionality.

“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” wrote the DPC.“The newly published dataset seems to comprise the original 2018 (pre GDPR) dataset and combined with additional records, which may be from a later period.”

The DPC stated it had attempted to establish the full facts of the leak and is continuing to do so, although it has received “no proactive communication from Facebook”.

After the DPC contacted Facebook “through a number of channels”, the social media giant stated that the information in the dataset was publicly available and scraped prior to changes made to the platform in 2018 and 2019. 

“As I am sure you can appreciate, the data at issue appears to have been collated by third parties and potentially stems from multiple sources. It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information,” Facebook told the DPC.

Furthermore, the DPC said that some of the records released on the “hacker website” contain phone numbers and email address of users, which creates risks for users who may be spammed for marketing purposes.

Facebook stated in a blog post that it believes malicious actors used the organisation’s contact importer to scrape data from users’ Facebook profiles prior to September 2019. 

“Through the previous functionality, they [malicious actors] were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords,” it stated.

Have I Been Pwned, a free service created by security blogger Troy Hunter, has added phone number functionality to its database to allow users to see if their personal numbers have been exposed in the latest Facebook data leak.

The data of 533 million users was published by a hacker on a low-level hacking forum over the weekend. The data was available to be downloaded for free and allowed anyone to look up a Facebook user’s record using their phone number. The records, which represented around a fifth of the company’s entire user base, contained phone numbers, full names, birth dates and more.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021