The Irish Data Protection Commission has confirmed that up to 3 million people in the EU were affected by last month’s Facebook security breach which resulted in the theft of potentially sensitive personal data.
Facebook first revealed the security breach in late September, which was the result of three distinct “bugs” introduced in July 2017 when the social media giant implemented new video upload functionality. On September 16 the firm noticed an unusual spike in users, which sparked an investigation.
Facebook finally uncovered the attack over a week later before informing the relevant parties and fixing the vulnerability.
At the time, it said that 50 million accounts had had their login access tokens stolen. In an update last week, it reduced the figure to around 30 million.
For 15 million, hackers were just able to access name and listed contact details, either phone number or email address. But for 14 million the hackers also accessed potentially sensitive information including location data, search history.
Until now, Facebook has refused to share how many affected users were based in Europe but the Irish Data Protection Commission confirmed that 10% of the accounts were from the EU. However, it still has not provided details on how seriously they have been affected.
The Irish DPC’s probe into the breach and Facebook’s compliance with its obligations under GDPR continues. The UK Information Commissioner’s Office is also investigating the issue.
Facebook in the dock again as regulators probe breach
EU chief calls for audit of Facebook’s data practices
Brussels threatens Facebook over data transparency
ICO data analytics probe ‘the biggest ever undertaken’
Facebook displays ‘contempt’ with Zuckerberg no-show
Facebook accused of dodging Parliamentary data probe