Irish DPC says Facebook data leak affects “significant number" of EU users

The regulator is investigating the data leak involving the personal details of 533 million users

Ireland’s Data Protection Commission (DPC) is investigating the Facebook data leak involving the personal details of 533 million users.

The DPC, the Irish supervisory authority responsible for monitoring the application of GDPR, stated that of the 533 million individuals caught up in the leak, a “significant number” are EU users. It also said that much of the data appears to have been scraped some time ago from public Facebook profiles.

The DPC also explained that previous datasets were published in 2019 and 2018 and related to a large-scale scraping of the social media giant’s website, which Facebook advised occurred between June 2017 and April 2018, when it closed off a vulnerability in its phone lookup functionality.

“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” wrote the DPC.“The newly published dataset seems to comprise the original 2018 (pre GDPR) dataset and combined with additional records, which may be from a later period.”

The DPC stated it had attempted to establish the full facts of the leak and is continuing to do so, although it has received “no proactive communication from Facebook”.

After the DPC contacted Facebook “through a number of channels”, the social media giant stated that the information in the dataset was publicly available and scraped prior to changes made to the platform in 2018 and 2019. 

“As I am sure you can appreciate, the data at issue appears to have been collated by third parties and potentially stems from multiple sources. It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information,” Facebook told the DPC.

Furthermore, the DPC said that some of the records released on the “hacker website” contain phone numbers and email address of users, which creates risks for users who may be spammed for marketing purposes.

Facebook stated in a blog post that it believes malicious actors used the organisation’s contact importer to scrape data from users’ Facebook profiles prior to September 2019. 

“Through the previous functionality, they [malicious actors] were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles. The information did not include financial information, health information or passwords,” it stated.

Have I Been Pwned, a free service created by security blogger Troy Hunter, has added phone number functionality to its database to allow users to see if their personal numbers have been exposed in the latest Facebook data leak.

The data of 533 million users was published by a hacker on a low-level hacking forum over the weekend. The data was available to be downloaded for free and allowed anyone to look up a Facebook user’s record using their phone number. The records, which represented around a fifth of the company’s entire user base, contained phone numbers, full names, birth dates and more.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Security researchers take control of a Tesla via drone
ethical hacking

Security researchers take control of a Tesla via drone

5 May 2021
Tens of thousands of Pennsylvanians health data exposed following data breach
data protection

Tens of thousands of Pennsylvanians health data exposed following data breach

4 May 2021
Cost of a data breach report 2020
Whitepaper

Cost of a data breach report 2020

30 Apr 2021
New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021