The dataset leaked online included phone numbers and email addresses from Facebook users.
THE DATA PROTECTION Commission (DPC) is awaiting further information from Facebook about a data leak impacting 533 million people, many of whom are in the EU.
The data was taken from Facebook by a third party a number of years ago and republished in an unsecure database at the weekend.
It contained records from millions of Facebook users, including phone numbers and email addresses.
Facebook said that this data was scraped from its website a couple of years ago through the manipulation of a feature that has since been changed.
Scraping refers to the harvesting of information from websites.
The deputy data protection commissioner Graham Doyle said the dataset published over the weekend “seems to comprise” data from 2018 along with “additional records, which may be from a later period”.
In May 2018, the General Data Protection Regulation (GDPR) took effect in the EU. This regulation imposes fines on those who breach its data privacy and security standards.
“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” Doyle said in a statement.
Doyle said the DPC “received no proactive communications from Facebook” about this latest publication of data over the weekend.
The DPC said Facebook has assured that this issue “requires extensive investigation” and will be given high priority in order to provide “firm answers”.
“A percentage of the records released on the hacker website contain phone numbers and email address of users,” Doyle said.
“Risks arise for users who may be spammed for marketing purposes but equally users need to be vigilant in relation to any services they use that require authentication using a person’s phone number or email address in case third parties are attempting to gain access.”
No news is bad news
Support The Journal
Your contributions will help us continue
to deliver the stories that are important to you
Support us now
The issue arose after a third party used Facebook’s contact importer feature, which allowed users to find friends on Facebook using their contact lists, to harvest personal data from users.
Facebook changed this feature in 2019 after it became aware it was being abused.
This issue was reported in 2019 after a similar database of information was briefly made publicly available through a third-party server.
A Facebook company spokesperson said today: “This is old data that was previously reported on in 2019. We found and fixed this issue in August 2019.”