Facebook’s lead data protection regulator in Europe has confirmed it’s put questions to the company about a major security breach that we reported on yesterday.
“The DPC became aware of this issue through the recent media coverage and we immediately made contact with Facebook and we have asked them a series of questions. We are awaiting Facebook’s responses to those questions,” a spokeswoman for the Irish Data Protection Commission told us.
We’ve reached out to Facebook for a response.
As we reported earlier, a security research discovered an unsecured database of hundreds of millions of phone numbers linked to Facebook accounts.
The exposed server contained more than 419 million records over several databases on Facebook users from multiple countries, including 18 million records of users in the U.K.
We were able to verify a number of records in the database — including UK Facebook users’ data.
The presence of Europeans’ data in the scraped stash makes the breach a clear matter of interest to the region’s data watchdogs.
Europe’s General Data Protection Regulation (GDPR) imposes stiff penalties for compliance failures such as security breaches — with fines that can scale as high as 4% of a company’s annual turnover.
Ireland’s DPC is Facebook’s lead data protection regulator in Europe under GDPR’s one-stop shop mechanism — meaning it leads on cross-border actions, though other concerned DPAs can contribute to cases and may also chip in views on any formal outcomes that result.
The UK’s data protection watchdog, the ICO, told us it is aware of the Facebook security incident.
“We are in contact with the Irish Data Protection Commission (DPC), as they are the lead supervisory authority for Facebook Ireland Limited. The ICO will continue to liaise with the IDPC to establish the details of the incident and to determine if UK residents have been affected,” a spokeswoman said.
It’s not yet clear whether the Irish DPC will open a formal investigation into the breach of Facebook users’ phone numbers.
It does already have a large number of open investigations on its desk into Facebook and Facebook-owned businesses since GDPR’s one-stop mechanism came into force — including one into a major token security breach last year, and many, many more.
In the case of the latest security incident, it’s also not clear exactly when Facebook users phone numbers were scraped from the platform. In a response yesterday the company said the data-set is “old”, adding that it “appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers”.
If that’s correct, the phone number breach is likely to pre-date April 2018 — which was when Facebook announced it was making changes to its account search and recovery feature, after finding it had been abused by what it dubbed “malicious actors”.
“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” Facebook said at the time.
It would also therefore pre-date GDPR coming into force, in May 2018, so would likely fall under earlier EU data protection laws — which carry less stringent penalties.