Leaked Facebook data may predate GDPR
A massive dataset of personal information from 553 million Facebook users which surfaced online over the weekend may predate the GDPR, the Data Protection Commission (DPC) has said.
In a statement yesterday, the watchdog said it is continuing to “establish the full facts” in connection with the data, which has been published for free on a hacker forum.
The dataset includes names and mobile numbers and, in some cases, email addresses, gender, occupation, city, country and marital status, according to BleepingComputer.com. Data belonging to around 1.5 million Irish users are included in the set.
Facebook believes that the data was “scraped” from public profiles prior to changes made to the platform in 2018 and 2019.
The social media giant has told the DPC that the data “potentially stems from multiple sources” and the company “requires extensive investigation to establish its provenance” before it can provide more information to the authorities or to users.
When similar datasets were published in 2018 and 2019, Facebook said they had been scraped using a vulnerability in its phone lookup functionality, which it fixed in April 2018. This was not notified as a personal data breach under GDPR because the scraping took place prior to it coming into effect.
The DPC said: “Facebook assures the DPC it is giving highest priority to providing firm answers to the DPC.
“A percentage of the records released on the hacker website contain phone numbers and email address of users.
“Risks arise for users who may be spammed for marketing purposes but equally users need to be vigilant in relation to any services they use that require authentication using a person’s phone number or email address in case third parties are attempting to gain access.
“The DPC will communicate further facts as it receives information from Facebook.”