Ireland launches investigation into Facebook data leak

Ireland launches investigation into Facebook data leak
© iStock

Ireland’s privacy agency is launching an investigation into a trove of information from roughly half a billion Facebook users that has been leaked and is circulating online.

“This dataset was reported to contain personal data relating to approximately 533 million Facebook users worldwide,” the country's Data Protection Commission (DPC) said in a release Wednesday

“The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses," it added.

ADVERTISEMENT

A spokesperson for Facebook told The Hill the company is fully cooperating with the inquiry.

The origin of the data, which includes profile names, email addresses and phone numbers, is unclear.

The information was posted on an amateur hacking forum earlier this month, but the data appears to be older. 

Facebook has said that the data was reported on in 2019 and that it has already patched the vulnerability that allowed the information to be scraped.  

The company does not plan on notifying users affected as of now.

Facebook’s failure to notify regulators about the breach, including the DPC, could end up running it afoul of Europe’s General Data Protection Regulation (GDPR), which went into effect in May 2018.

ADVERTISEMENT

Under the data privacy rule, European regulators can slap fines of up to 2 percent of global annual turnover if companies fail to notify them about breaches, or 4 percent for more serious violations.

Facebook’s claim that the data is old could protect it from those penalties if the breach predated the GDPR application. 

The DPC said Wednesday that based on information provided by Facebook Ireland, it is “of the opinion” that one or more provisions of the GDPR may have been infringed.

“Accordingly, the Commission considers it appropriate to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users,” the agency said.

--Updated at 12:06 p.m.