Ireland opens GDPR probe into Facebook data breach that exposed 533m phone numbers

Io Dodds
·2-min read
This file illustration photo shows a Facebook App logo displayed on a smartphone in Los Angeles, March 1, 2021 - Chris Delmas/AFP
This file illustration photo shows a Facebook App logo displayed on a smartphone in Los Angeles, March 1, 2021 - Chris Delmas/AFP

European regulators have launched a fresh investigation into the Facebook data breach that led to phone numbers for 533m users, including 11m in the UK, being leaked for free online.

The Irish Data Protection Commission (DPC), Facebook's lead regulator in the European Union, said the social media giant's response to the breach may have broken the bloc's GDPR data law.

It comes after Facebook was criticised for failing to notify users whose details were leaked, while the DPC faced questions over why it had not taken more action when the breach was originally reported by journalists 2019.

The data, which contains full names, phone numbers, dates of birth and other details for 533m accounts in 106 countries, including 11.5m in the UK, was harvested from Facebook's systems through a security loophole some time before September 2019, causing new uproar when it was posted on a hacker forum earlier this month.

Facebook has refused to apologise for the incident, attempting to dismiss it as old news while struggling to identify instances where it fully explained it at the time. The DPC also said it had received "no proactive communication from Facebook" about the leak.

The British Information Commissioner's Office (ICO) is considering whether to open its own investigation. A spokeswoman said on Wednesday that it would coordinate with other regulators.

The DPC said: "Having considered the information provided by Facebook Ireland regarding this matter to date, the DPC is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data."

A spokesman for Facebook said: "We are cooperating fully with the DPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place.”

The leaked data included phone numbers for high-profile figures such as US transport secretary Pete Buttigieg and Facebook's own chief executive Mark Zuckerberg. Although it includes no passwords or sensitive personal information, experts have said it could be useful for scams, spam marketing and hacking attempts.

The timeline of the breach remains murky. The DPC said it did not originally punish Facebook in 2019 because the data had been gleaned before GDPR came into force, but added that the new leak may include data from a later period.

Irish officials have been accused of giving a soft touch to Facebook and other major US tech companies, who have boosted the country's tax revenue and jobs by making it their European base.

  • Up next
  • Up next
  • Up next
  • Up next

Latest stories