Ireland’s Data Protection Commission has announced it will investigate the recent Facebook data breach which saw hundreds of millions of users affected.
In a statement yesterday, the DPC said its investigation aimed to establish if the exposed data was from an older breach reported by the social media giant in 2019.
“The Data Protection Commission (DPC) today launched an own-volition inquiry pursuant to section 110 of the Data Protection Act 2018 in relation to multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet.”
The DPC said it is in close contact with Facebook Ireland, “raising queries in relation to GDPR compliance”.
It added that Facebook is cooperating with the regulator to provide clarity on the data breach.
The DPC’s investigation follows pressure from the European Commission earlier this week.
On Twitter, European Commissioner for Justice, Didier Reynders revealed he had been in contact with Irish Data Protection Commissioner Helen Dixon over the data breach.
Reynders said the EC was following the case closely and is “committed to supporting national authorities”.
The Commissioner also urged Facebook to act swiftly to “shed light on the identified issues”.
Today I spoke with Helen Dixon @DPCIreland about the #FacebookLeak. The Commission continues to follow this case closely and is committed to supporting national authorities. We also call on @Facebook to cooperate actively and swiftly to shed light on the identified issues.
— Didier Reynders (@dreynders) April 12, 2021
More than 500 million users in 106 countries have been affected by the recent data breach, first reported earlier this month, with information belonging to around 11 million UK-based users leaked.
The exposed data, which includes phone numbers, full names, email addresses and dates of birth, was published to an online hacking forum.
In the wake of the breach, Facebook insisted the issue was due to an older flaw that was fixed in 2019.
The social media giant sought to clarify the situation in an blog post online on 6th April.
According to Facebook, ‘malicious actors’ had gained access to personal information by exploiting flaws in its contact importer, which allows users to connect with friends using their contact lists.
“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019,” the firm said.
“When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer.”
- Facebook data breach leaks data of 500 million users
- UK subsea tech to receive boost with new industry partnership
- Smart digitisation needed to decarbonise major cities worldwide
Facebook insisted that the exposed personal information was gained through scraping its platform and not by “hacking our systems”
The DPC’s investigation could spell more trouble for Facebook and lead to a GDPR fine.
In its statement, the regulator said: “The DPC…is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook users’ personal data.”
Companies found to have breached GDPR regulations could face fines of up to 4% of their annual turnover.