Facebook data leak could be outside scope of GDPR

A data leak of information on approximately 533 million Facebook users – including profile names, mobile numbers and location data – has prompted talk of regulatory action against the social media platform, but bringing a case under Europe’s General Data Protection Regulation (GDPR) may not be successful or possible.

According to Ireland’s Data Protection Commission (DPC) – which due to Facebook’s substantial presence in Ireland was early to instigate a probe into the incident – the age of the data may put it outside the scope of the GDPR.

In a statement, the DPC explained: “Previous datasets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website, which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone lookup functionality. Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR.

“The newly published dataset seems to comprise the original 2018 (pre-GDPR) dataset and combined with additional records, which may be from a later period.”

The DPC said Facebook had told it that the dataset appeared to have been collated by third parties and potentially stemmed from multiple sources, therefore further investigation is needed to assist with its investigation. Facebook is understood to be co-operating fully in this regard.

GDPR would provide for a maximum fine under EU law of €20m or 4% of annual turnover, and under UK law of £17.5m or 4% of annual turnover, whichever is greater. In the US, under California’s benchmark privacy regulations, the state’s attorney general may seek penalties of $2,500 per violation. If imposed, fines could run into the billions.

The data in question appeared on an underground forum as far back as January 2021, according to Alon Gal, co-founder and CTO of Hudson Rock, an Israel-based security intelligence firm. Gal presented evidence suggesting that a forum user has now created a bot that lets users query the database for a small fee, raising the possibility of it being co-opted into various cyber scams.

Many observers said that the leak would almost inevitably result in a marked increase in attempted fraud of the sort that primarily targets consumers, such as smishing (SMS phishing) attacks, which have spiked dramatically during the past 12 months.

Jacinta Tobin, Proofpoint’s vice president of Cloudmark operations, said that such text message scams using fraudulent branding to get a mark to click on a link were often more successful than email phishes.

“Consumers trust mobile messaging, and they are much more likely to read and access links contained in text than those in email,” said Tobin.

“This level of trust paired with the reach of mobile devices makes the mobile channel ripe for fraud and identity theft…Consumers need to be very sceptical of mobile messages that come from unknown sources. And it’s important to never click on links in text messages, no matter how realistic they look.

“If you want to contact the purported vendor sending you a link, do so directly through their website and always manually enter the URL. For offer codes, type them directly into the site as well. It’s also vital that you don’t respond to strange texts or texts from unknown sources. Doing so will often confirm you’re a real person to future scammers,” she said.

Alexander Moiseev, chief business officer at Kaspersky, advised Facebook users to be more careful about the information they provide to social media platforms.

“Though we may be accustomed to leaving different information about ourselves on the internet, we still need to control what we really want to make public and what we don’t,” said Moiseev.

“That’s why it is important to understand how our data can be used if it appears in the wrong hands – for phishing, social engineering or account takeovers. And, if this happens, it is important to be prepared and use dedicated protection on our devices.”  

Following unprecedented levels of interest, the leaked phone numbers have now been made searchable on HaveIBeenPwned (HIBP) – the first time HIBP has included phone numbers in its data.

Concerned Facebook users are advised to use the long-established and trusted HIBP service as opposed to one of several other sites that have sprung up in the days since the leak, some of which may be phishing attempts themselves.