The Data Protection Commission (DPC) in Ireland will investigate the Facebook incident from earlier this month. In the the incident, data from more than half a billion users was posted online.
According to the privacy watchdog, one or more provisions of the GDPR and the Data Protection Act 2018 were breached and may still be in progress. The DPC has contacted Facebook Ireland to investigate the matter.
The DPC considers it appropriate to determine whether Facebook Ireland has complied with its obligations as a data controller. The privacy watchdog specifically points to the processing of personal data with Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer. It is possible that Facebook violated the GDPR and Data Protection Act 2018 with these features.
A Facebook spokesperson told The Register that the company is fully cooperating with the IDPC’s investigation into the features to search for other contacts. “These features are common to many apps and we look forward to explaining them and the protections we have put in place.”
Data of 533 million users posted online
Earlier this month, data from 533 million Facebook users were found to have been shared on the internet. The shared data included phone numbers and, to a lesser extent, email addresses. The gender, profession, city, country and relationship status of users were also shared.
According to Facebook, the incident wasn’t a leak. Instead, the perpetrators scraped the data from the social network. Many users have the data in question publicly displayed on their profiles. The perpetrators used an exploit in a Facebook tool for synchronising contacts. After the discovery of the exploit, Facebook immediately patched the vulnerability. Thus, no data from after September 2019 was leaked.
Because the company is not confident that it has a complete understanding of exactly which end users were affected, it is not informing users about the data breach. The company is also convinced that users cannot do anything about the problem and that the data is now public.
Similar incidents at LinkedIn and Clubhouse
Facebook is not the only social network that has been the victim of a data leak by a scraper in recent weeks. The data of more than half a billion LinkedIn users also went public. Also, the data of more than 1.3 million Clubhouse users appeared on the Internet.