Facebook’s lead data protection regulator in the European Union is seeking answers from the tech giant over a major data breach reported over the weekend.
The breach was reported by Business Insider on Saturday, which said personal data (including email addresses and mobile phone numbers) of more than 500 million Facebook accounts had been posted to a low-level hacking forum — making the personal information on hundreds of millions of Facebook users’ accounts freely available.
“The exposed data includes the personal information of over 533M Facebook users from 106 countries, including over 32M records on users in the US, 11M on users in the UK, and 6M on users in India,” Business Insider said, noting that the dump includes phone numbers, Facebook IDs, full names, locations, birthdates, bios and some email addresses.
Facebook responded to the report of the data dump by saying it related to a vulnerability in its platform it had “found and fixed” in August 2019 — dubbing the info “old data” which it also claimed had been reported in 2019. However as security experts were quick to point out, most people don’t change their mobile phone number often — so Facebook’s trigger reaction to downplay the breach looks like an ill-thought-through attempt to deflect blame.
It’s also not clear whether all the data is all “old”, as Facebook’s initial response suggests.
There’s plenty of reasons for Facebook to try to downplay yet another data scandal. Not least because, under European Union data protection rules, there are stiff penalties for companies that fail to promptly report significant breaches to relevant authorities. And indeed for breaches themselves — as the bloc’s General Data Protection Regulation (GDPR) bakes in an expectation of security by design and default.
By pushing the claim that the leaked data is “old” Facebook may be hoping to peddle the idea that it predates the GDPR coming into application (in May 2018).
However, the Irish Data Protection Commission (DPC), Facebook’s lead data supervisor in the EU, told TechCrunch that it’s not abundantly clear whether that’s the case at this point.
“The newly published dataset seems to comprise the original 2018 (pre-GDPR) dataset and combined with additional records, which may be from a later period,” the DPC’s deputy commissioner, Graham Doyle said in a statement.
“A significant number of the users are EU users. Much of the data appears to been data scraped some time ago from Facebook public profiles,” he also said.
“Previous datasets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone lookup functionality. Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR.”
Doyle said the regulator sought to establish “the full facts” about the breach from Facebook over the weekend and is “continuing to do so” — making it clear that there’s an ongoing lack of clarity on the issue, despite the breach itself being claimed as “old” by Facebook.
The DPC also made it clear that it did not receive any proactive communication from Facebook on the issue — despite the GDPR putting the onus on companies to proactively inform regulators about significant data protection issues. Rather, the regulator had to approach Facebook — using a number of channels to try to obtain answers from the tech giant.
Through this approach the DPC said it learnt Facebook believes the information was scraped prior to the changes it made to its platform in 2018 and 2019 in light of vulnerabilities identified in the wake of the Cambridge Analytica data misuse scandal.
A huge database of Facebook phone numbers was found unprotected online back in September 2019.
Facebook had also earlier admitted to a vulnerability with a search tool it offered — revealing in April 2018 that somewhere between 1 billion and 2 billion users had had their public Facebook information scraped via a feature which allowed people to look up users by inputting a phone number or email — which is one potential source for the cache of personal data.
Last year Facebook also filed a lawsuit against two companies it accused of engaging in an international data scraping operation.
But the fallout from its poor security design choices continue to dog Facebook years after its ‘fix’.
More importantly, the fallout from the massive personal data spill continues to affect Facebook users whose information is now being openly offered for download on the internet — opening them up to the risk of spam and phishing attacks and other forms of social engineering (such as for attempted identity theft).
There are still more questions than there are answers about how this “old” cache of Facebook data came to be published online for free on a hacker forum.
The DPC said it was told by Facebook that “the data at issue appears to have been collated by third parties and potentially stems from multiple sources”.
The company also claimed the matter “requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information” — which is a long way of suggesting that Facebook has no idea either.
“Facebook assures the DPC it is giving highest priority to providing firm answers to the DPC,” Doyle also said. “A percentage of the records released on the hacker website contain phone numbers and email address of users.
“Risks arise for users who may be spammed for marketing purposes but equally users need to be vigilant in relation to any services they use that require authentication using a person’s phone number or email address in case third parties are attempting to gain access.”
“The DPC will communicate further facts as it receives information from Facebook,” he added.
At the time of writing Facebook had not responded to a request for comment about the breach.
According to haveibeenpwned’s Troy Hunt, this latest Facebook data dump contains far more mobile phone numbers than email addresses.
He writes that he was sent the data a few weeks ago — initially getting 370 million records and later “the larger corpus which is now in very broad circulation”.
“A lot of it is the same, but a lot of it is also different,” Hunt also notes, adding: “There is not one clear source of this data.”
Update: Facebook has now published a blog post with some additional details about the breach in which it writes that it believes the data in question was scraped from people’s Facebook profiles by “malicious actors” using a contact importer feature prior to September 2019 — before it made changes to the tool intended to prevent abuse by blocking the ability to upload a large set of phone numbers to find ones that matched profiles.
“Through the previous functionality, [users of Facebook’s contact importer tool] were able to query a set of user profiles and obtain a limited set of information about those users included in their public profiles,” Facebook writes, adding that the information obtained did not include financial information, health information or passwords.
However it does not specify what data could have been obtained by these malicious actors repurposing its tools. Or whether it has identified and sought to prosecute the actors in question.
Instead its PR segues into stating that such action is against its terms — as well as claiming it is “working to get this data set taken down”. It also says it will “continue to aggressively go after malicious actors who misuse our tools wherever possible” — again without offering any examples of instances where it has successfully identified and definitively barred an abuser from its service.
(Where, for instance, is the final report of an internal app audit that Facebook said it would carry out after the Cambridge Analytica scandal back in 2018? The UK’s data protection regulator said recently that a legal deal it has with Facebook prevents it from discussing the app audit in public. So Facebook certainly appears to have an aggressive approach when it comes to avoiding transparency on how it tackles misuse of its tools… )
“While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work,” Facebook adds in the PR, offering no guarantees to users that their data is safe with its service.
Instead it recommends users check the privacy settings it offers for accounts, including those which provide some controls over how others can find you on its service — a line which seeks to deflect from the latest Facebook data breach revelation via some suggestive blame-shifting; i.e. by implying that responsibility for data security is in the hands of Facebook users, rather than Facebook itself.
Of course that’s not the case. Not least because Facebook users are only offered partial controls over their data by Facebook, and entirely of Facebook’s design and devising (including setting privacy-hostile defaults).
Moreover, in Europe at least, the company has a legal responsibility to bake security into the design of its products. Failure to offer an adequate level of protection for personal data can attract major regulatory sanction — although the company continues to benefit from a GDPR enforcement bottleneck.
Facebook’s PR also suggests users enable two-factor authentication to improve account security.
That’s certainly a good idea but on the 2FA front it’s worth noting that Facebook does now offer support for security key and third-party authentication apps for 2FA — meaning you can add this extra layer of security without risking giving Facebook your mobile number. And since the service has demonstrably leaked users’ phone numbers at vast scale — while the business has also admitted to using 2FA digits for ad targeting — you really shouldn’t trust Facebook with your phone number.
Update 2: In additional background remarks Facebook said it will not be commenting on how it communicates with regulators.
It also said it has no plans to notify users individually about the breach — further specifying that owing to how the data was obtained (scraping) it cannot be entirely sure who would need to be notified.