The Irish Data Protection Commission has launched an investigation of a potential data breach at Facebook that involved the personal information of 533 million users of the social network. The breach in question does not appear to be new, as the data was in the hands of cybercriminals who were offering access to the massive database on cybercrime forums under a pay-to-search model since at least January 2021. In exchange for a modest payment, individuals could conduct lookups of the database via a Telegram instant messenger service bot.
Alon Gai, CTO of the cybercrime intelligence firm Hudson Rock, identified the pay-for-search service in January 2021 and discovered, on April 3, 2021, that the entire database had been dumped online and could be downloaded free of charge. Gai claimed that a Facebook vulnerability had been exploited to create the database. The database included Facebook IDs, telephone numbers, and dates of birth, relationship status, employer, and email addresses.
Facebook announced on April 6, 2021 that an internal investigation had been launched into the dumping of the data online and later issued a statement confirming that this was not actually a data breach. Facebook claimed the database had been created by scraping Facebook profiles that were publicly accessible, comparing the incident to that of LinkedIn where the details of 500 million of its users had been scraped from publicly accessible profiles.
In the case of Facebook, the data does not appear to have been scrapped in the same way as LinkedIn. Instead, personal data was obtained by abusing an API that Facebook developed to allow users to find each other. Facebook claimed that the problem had been found and fixed in August 2019 and the data must have been obtained prior to September 2019 when the vulnerability was fixed. Facebook also said it does not intend to notify those affected.
Since Facebook has a base in Ireland, the Irish DPC is tasked with investigating any Facebook data breaches to determine if there have been any violations of the General Data Protection Regulation (GDPR). The Irish DPC issued a statement confirming an investigation had been launched into the breach, “The Data Protection Commission (DPC) today launched an own-volition inquiry pursuant to section 110 of the Data Protection Act 2018 in relation to multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet. This dataset was reported to contain personal data relating to approximately 533 million Facebook users worldwide. The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses.”
The Irish DPC later issued a further statement suggesting there may have been GDPR violations. “The DPC, having considered the information provided by Facebook Ireland regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data.” Facebook has confirmed that it is cooperating with the Irish DPC and its enquiry.”
If violations of the GDPR are confirmed, Facebook can be fined up to €20 million or 4% of global annual turnover for the previous fiscal year. With global revenues of $86 billion, a financial penalty of $3.44 billion could be possible.
Even if there have been no GDPR violations, the breach could still prove costly for Facebook. Digital Rights Ireland has announced that it is commencing a legal action against Facebook seeking compensation for all users of the platform who had their personal data stolen. “This will be the first mass action of its kind but we’re sure it won’t be the last,” said Antoin Ó Lachtnain, director of Digital Rights Ireland.