Facebook is risking the wrath of both consumers and regulators alike after refusing to notify any of its half a billion users whose personal data has been leaked online on a hacking forum, insisting that the data was publicly available anyway.
News of the leak first emerged over the Easter weekend, after a hacker posted the information on a forum. It was available to download for free and allowed anyone to look up a Facebook user’s record using their phone number.
It contains details on more than 533 million Facebook users from 106 countries, including 44 million from Egypt, 39 million in Tunisia, 32 million in the US and 11 million in the UK. The data includes full names, phone numbers, gender, date of birth, location, relationship status and email address.
However, Facebook has attempted to down play the seriousness of the leak, claiming it was publicly available information and scraped prior to changes made to its platform in 2018 and 2019.
In a blog post Facebook product management director Mike Clark said that “malicious actors” had accessed the user data “not through hacking Facebook systems” but by scraping it from people’s Facebook profiles prior to September 2019.
According to Clark, the hackers used Facebook’s contact importer feature that was designed to help people easily find their friends on Facebook, using their contact lists. He added that the feature, which allowed anyone to scrape data from the Facebook platform, had been fixed in 2019 and no longer exists.
The company also said hackers had only obtained a limited set of data about users and that it did not include sensitive details, such as passwords, health or financial information.
“While we can’t always prevent data-sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work,” Clark added.
Facebook has subsequently told Reuters that it was not confident it had full visibility on which users would need to be informed; it also took into account that it was not possible for users to fix the issue at their end.
However, the Irish Data Protection Commission – which governs Facebook in the EU – is pressing the tech giant to hand over the full facts of the leak, although it has received “no proactive communication from Facebook”.
In a statement, the regulator said: “Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR. The newly published dataset seems to comprise the original 2018 (pre GDPR) dataset and combined with additional records, which may be from a later period.”
The UK Information Commissioner’s Office, which now acts independently of Brussels following Brexit, has yet to comment on the incident.
New digital regulator vows be ‘tough’ on US tech giants
‘Super-regulator’ puts TikTok, AI and adtech on notice
CMA widens probe into use of ‘murky’ online algorithms
CMA ratchets up attack on online advertising duopoly
Tech giants face tailored rules – and fines – in CMA plan
New Digital Markets Unit ‘to bring tech giants to heel’
CMA demands new laws to rein in Facebook and Google