EU investigating Facebook over leak of data of 530m users

The EU privacy regulator is investigating Facebook over a possible breach of the General Data Protection Regulation following reports of a large-scale data leak in which the personal information of 533m users was shared online.

Earlier this month, researchers found a database of the personal information of more than 530m Facebook users, including profile names, phone numbers, location and some email addresses, circulating publicly on hacker forums. 

Facebook said at the time that “malicious actors” had obtained the data prior to September 2019 by “scraping” user profiles through a vulnerability in its contact importer tool that was reported on by the press and fixed shortly after — rather than by hacking.

But the Irish Data Protection Commission, which oversees the enforcement of the EU’s GDPR, said on Wednesday that it had opened an inquiry into Facebook after “raising queries in relation to GDPR compliance” with the Silicon Valley company’s Irish arm. 

“The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data,” the regulator said in a statement. 

It added that it would focus on how Facebook processed data through its Messenger and Instagram contact synching tools, as well as its contact searching tool. 

The probe is the latest in a slew of regulatory challenges that the social media group currently faces over privacy and security concerns. The DPC now has 15 live investigations into the company’s apps, marking the largest number of open probes into any single company, according to a spokesperson. That includes 10 into Facebook proper, three into Instagram and two into WhatsApp. 

The Irish data regulator has yet to conclude any of its Facebook probes, but fined Twitter €450,000 at the end of last year in its first GDPR penalty. 

Under GDPR, which came into effect in mid-2018, companies must provide a “reasonable” level of protection for users’ personal data and inform regulators of any data breaches swiftly, or face big fines. 

It is unclear whether any of the user information in the Facebook data set, which was first reported by Business Insider, was leaked after GDPR came into force or not. Facebook did not notify the regulator about the leak, a DPC spokesperson said.

But the news has prompted concerns that the data could be wielded by bad actors for targeted hacking, as well as reports of scraped data sets online from other companies. LinkedIn last week confirmed that “publicly viewable member profile data that appears to have been scraped from LinkedIn” was part of one such data set, for example. 

Joe Osborne, a Facebook spokesperson, said in a statement on Wednesday: “We are co-operating fully with the IDPC in its inquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place.”