Facebook facing mounting questions over massive data leak

Call it Cambridge Analytica 2.0.

Three years after a scandal that saw data from nearly 90 million people illegally harvested to influence votes in elections like Donald Trump’s 2016 win, Facebook finds itself in the middle of a tornado of questions around how it handles data.

This time, data on almost half a billion Facebook users was found online. But while the company insists it fixed the leak in 2019 and that the case is closed, EU data watchdogs aren’t so sure.

The Irish Data Protection Commission said Tuesday it was examining the reports — and that it had received “no pro-active communication” yet on the matter from the social networking giant as of midday on Tuesday.

The trove of data — which includes phone numbers, Facebook IDs, full names and birth dates — was discovered by Alon Gal of the cybercrime intelligence firm Hudson Rock on Saturday after it was made available online for free.

The trove contains data on millions of Europeans, who are covered by the General Data Protection Regulation privacy rulebook.

In a statement, the Irish Data Protection Commission (DPC), which is in charge of overseeing Facebook in the European Union, said it had spent the weekend trying to get to the bottom of the leak and was continuing to do so. During that time it had “received no proactive communication from Facebook,” the statement added.

Clashing timelines

According to the regulator, the Facebook leak dates back to a large-scale scraping of data which Facebook said had occurred between June 2017 and was closed off April 2018 — before the GDPR went into effect.

“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” the statement said.

However, Facebook’s own public communication stated that the vulnerability had been closed off in August 2019, more than a year after the GDPR came into force.

“This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019,” Facebook representative Liz Bourgeois wrote on Twitter.

Under the GDPR, major data leaks or breaches must be notified to the relevant regulator within 72 hours.

As Ireland tries to get to the bottom of the apparent discrepancy, other regulators are waiting in the wings.

Hamburg data regulator Johannes Caspar, who oversees Facebook in Germany, called the data leak “appalling.”

“Since the incident became known two years ago, the question arises what the responsible supervisory authority has been doing in this matter since then,” Caspar said.

The U.K.’s data watchdog, which previously fined Facebook for its role in the Cambridge Analytica scandal, said it is aware of the reports and “will be looking into them on behalf of UK citizens,” of which over 11 million were affected.

Italy is the most heavily affected EU country, with more than 35 million users from that country caught up in the leak. Almost 20 million French users were affected.

Collective action brewing

The data leak, which included phone numbers, will open users up to all kinds of phishing attacks including by SMS or phone calls, a technique known as smishing. It means a cybercriminal or hacker would try to lure victims into clicking on links or responding to requests in text messages.

The German federal data regulator Ulrich Kelber reported that he has already been targeted by one of these attacks, posting a picture on Twitter of a text message which invited him to click on a fraudulent link.

With millions of Europeans exposed to heightened hacking risks, a mass of compensation claims could be on the way.

Thomas Bindl of the data breach legal action outfit Europäische Gesellschaft für Datenschutz told POLITICO he had already signed up hundreds of affected users.

“We expect that affected people are entitled to compensation of a few hundred euro,” he said, adding that he planned to launch legal action soon.

This article has been updated.

Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.