Facebook Data Breach: Answers Demanded - Latest Updates

Data Breach at Facebook Prompts EU Regulatory Inquiry

Facebook is currently facing scrutiny from its primary data protection regulator within the European Union concerning a substantial data breach that surfaced over the weekend.

Details of the Reported Breach

The breach, initially reported by Business Insider on Saturday, involved the exposure of personal data – encompassing email addresses and mobile phone numbers – linked to over 500 million Facebook accounts. This information was reportedly made available on a hacking forum, potentially compromising the privacy of a vast number of users.

According to Business Insider, the compromised data originates from 106 countries, with over 32 million records pertaining to users in the United States, 11 million in the United Kingdom, and 6 million in India. The leaked information includes phone numbers, Facebook user IDs, full names, locations, birthdates, biographical details, and, in some instances, email addresses.

Facebook’s Response and Concerns

Facebook characterized the incident as relating to a vulnerability within its platform that was identified and resolved in August 2019, labeling the exposed data as “old.” The company also stated that this issue was previously reported in 2019. However, security professionals have questioned this downplaying of the breach, noting that mobile phone numbers rarely change, suggesting the impact may be more current.

The extent to which all the data is genuinely “old” remains unclear.

GDPR Implications and Regulatory Action

Facebook’s attempt to minimize the severity of the breach is likely influenced by the stringent penalties outlined in European Union data protection regulations for failing to promptly report significant breaches to relevant authorities. The General Data Protection Regulation (GDPR) mandates security by design and default.

By asserting the data is “old,” Facebook may be attempting to suggest it predates the GDPR’s enforcement in May 2018.

Irish Data Protection Commission’s Investigation

The Irish Data Protection Commission (DPC), Facebook’s lead data supervisor in the EU, has indicated that it is not yet certain whether the data predates GDPR.

Graham Doyle, the DPC’s deputy commissioner, stated that the dataset appears to include the original 2018 data, alongside additional records potentially from a later period. He also confirmed that a significant portion of the affected users are located within the EU.

Data Scraping and Previous Incidents

Much of the data appears to have been obtained through scraping of Facebook public profiles, a practice that Facebook addressed in 2019 by closing a vulnerability in its phone lookup functionality. Facebook initially chose not to report this earlier scraping as a GDPR breach, as it occurred before the regulation came into effect.

The DPC is actively seeking to establish the complete details of the breach from Facebook and has emphasized the ongoing lack of clarity, despite Facebook’s claims.

Lack of Proactive Communication

The DPC also noted that Facebook did not proactively inform them of the issue, a requirement under GDPR. Instead, the regulator had to initiate contact with Facebook through multiple channels to obtain information.

Facebook explained that the information was likely scraped prior to the platform changes implemented in 2018 and 2019 following the Cambridge Analytica scandal.

Past Vulnerabilities and Lawsuits

An unprotected database of Facebook phone numbers was discovered online in September 2019. Furthermore, Facebook admitted to a vulnerability in a search tool in April 2018, which allowed the scraping of public Facebook information from an estimated 1 to 2 billion users.

Last year, Facebook initiated legal action against two companies accused of international data scraping.

Risks to Users

The exposure of this data poses risks to Facebook users, including the potential for spam, phishing attacks, and identity theft.

Ongoing Investigation and Data Provenance

The DPC has been informed by Facebook that the data likely originated from multiple sources and was collated by third parties. Facebook acknowledges the need for a thorough investigation to determine the data’s origin.

Facebook has assured the DPC that it is prioritizing a response and providing firm answers.

User Vigilance and Potential Risks

The leaked records contain phone numbers and email addresses, potentially exposing users to marketing spam and increasing the risk of unauthorized access to accounts that rely on phone number or email authentication.

The DPC will provide further updates as information becomes available from Facebook.

Resources for Concerned Users

Facebook users concerned about potential exposure can utilize the data breach advice site, haveibeenpwned, to search for their phone number or email address.

According to Troy Hunt of haveibeenpwned, this latest data dump contains a greater number of mobile phone numbers than email addresses.

Facebook’s Updated Statement

Facebook has since published a blog post stating that the data was likely scraped from user profiles by “malicious actors” using a contact importer feature prior to September 2019. The company claims the information did not include financial, health, or password data.

Concerns Regarding Transparency

However, Facebook has not detailed the specific data obtained by these actors or identified and prosecuted them. The company’s response focuses on its terms of service and efforts to remove the data, without providing concrete examples of successful enforcement.

The UK’s data protection regulator recently indicated that a legal agreement with Facebook prevents public discussion of an app audit initiated after the Cambridge Analytica scandal, raising concerns about transparency.

Recommendations for Users

Facebook recommends users review their privacy settings and enable two-factor authentication. It is advisable to use security keys or third-party authentication apps for 2FA, avoiding the use of phone numbers due to previous leaks and potential ad targeting.

Further Updates

Facebook has stated it will not comment on its communication with regulators and has no plans to individually notify users about the breach, citing uncertainty about who needs to be informed due to the data scraping method.

Ultimately, the incident underscores the ongoing challenges Facebook faces in protecting user data and maintaining transparency.

• Data Breach: Over 500 million Facebook accounts affected.
• GDPR: Potential penalties for non-compliance with data protection rules.
• Data Scraping: A key method used to obtain the compromised data.
• DPC: The Irish Data Protection Commission is leading the investigation.