Ireland’s Privacy Watchdog Launches GDPR Probe of FacebookData Protection Commission Sees Likely Violations in Wake of Latest Mega-Breach
Ireland's privacy regulator has launched an investigation into Facebook after personal information for 533 million of the social network's users appeared for sale online.
The Data Protection Commission, which enforces the EU's General Data Protection Regulation as well as Ireland's Data Protection Act, on Wednesday announced that it had "launched an own-volition inquiry pursuant … to multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet."
"The DPC engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance to which Facebook Ireland furnished a number of responses."
Facebook first confirmed last week that 533 million of its users appeared to have had their profile names and ID numbers, locations, biographical information, email addresses and phone numbers stolen - even when users had set their phone numbers to not appear on their profile page. Facebook says the data appears to have been stolen from June 2017 to April 2018 and later combined with other data.
Reached for comment on the Irish commission's announcement, a Facebook spokesman shared this statement: “We are cooperating fully with the IDPC in its inquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps, and we look forward to explaining them and the protections we have put in place."
Data Was for Sale
Evidence of the breach has been circulating for some time. In January, Alon Gal (@UnderTheBreach), CTO of cybercrime intelligence firm Hudson Rock, first reported that a Facebook vulnerability had been exploited and used to create a database containing that information. He said the information was accessible via the cybercrime-as-a-service model, in which a user could inexpensively query a bot for the Telegram instant messaging service to provide lookups of the database.
On April 3, Gal said that the entire database had been dumped online for free. It's unclear why that happened. Perhaps the database wasn't earning the Telegram bot creator any more money. On April 6, Facebook publicly confirmed that it was investigating the breach.
All 533,000,000 Facebook records were just leaked for free.— Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.
I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
The Irish commission's launch of an investigation comes despite Facebook attempting to downplay its responsibility for the breach by claiming that attackers had obtained the data "not through hacking our systems but by scraping it from our platform," apparently by abusing an API that Facebook built to allow users to find each other (see: Facebook Tries to 'Scrape' Its Way Through Another Breach).
Scrapers Gonna Scrape
On Thursday, Facebook published a blog post, How We Combat Scraping, attributed to Mike Clark, a product management director.
It's not clear what anti-scraping practices Facebook had in place when the data was exposed. But as of now, "we devote substantial resources to combating unauthorized scraping on Facebook products," Clark says. "We have a dedicated External Data Misuse team made up of more than 100 people, including data scientists, analysts and engineers, focused on our efforts to detect, block and deter scraping."
The company says it also uses threat intelligence to watch for datasets appearing online, and it uses legal means to try to disrupt scrapers' behavior and sites that host scraped data. "This is also why it’s important for governments to do more to investigate and take action against unlawful scraping activity," Clark says.
Arguably, however, once data gets exposed and stolen, there's no way to remove it from the many cybercrime forums that operate from areas such as Russia, no matter what Western governments might do.
Breach: Not Like LinkedIn or Clubhouse
Facebook also attempted to liken the breach of its 533 million users' details with other incidents that have recently come to light.
"Given the fact that similar stories have emerged since then about public datasets involving information obtained from a number of other companies, including LinkedIn and Clubhouse, we’d like to explain more about what scraping is, how it works and what we’re doing to prevent scraping to protect people’s information," Clark says in the post.
But Facebook's attempt to link its exposure of users' personal information with what happened to LinkedIn and the startup social networking app Clubhouse appears to be disingenuous: Facebook experienced a breach that exposed private information; the others did not (see: A Tale of 3 Data 'Leaks': Clubhouse, LinkedIn, Facebook).
In the case of LinkedIn, a cybercrime forum seller recently began advertising 500 million LinkedIn user records, as CyberNews first reported. The seller said the profiles included "emails, phone and other details."
In a statement released last Thursday, however, LinkedIn said the data involves only information that is already publicly accessible via its site and may have been combined with information from other sites. "This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we've been able to review," it said.
Similarly, Clubhouse said that its systems had not been breached or hacked, following reports that its user data had appeared on a cybercrime forum. Clubhouse said the information - name and username, user ID, profile photo, number of followers, number of other Clubhouse users followed, account creation date and some other details - had been scraped from users' public profiles. No personally identifiable information, such as phone numbers, email addresses or other sensitive information, was exposed, it said.
Rehearsal for the Defense
The carefully calibrated communications from Facebook - a company that refers to nation-state intelligence agencies abusing its platform as "coordinated inauthentic behavior" - appears to be a sign of the company rehearsing its defense for the latest in a long line of data breaches leading to regulatory investigations.
Because Facebook's European headquarters are in Ireland, under GDPR's one-stop-shop provisions, the DPC currently takes the lead on any investigations. (That could change this year. In January, the European Court of Justice’s Advocate General Michal Bobek issued a preliminary opinion in a long-running case involving Belgium's privacy watchdog, which has been attempting to investigate Facebook. The ECJ has yet to issue its final order, but Bobek's opinion is that a country's data protection authority "cannot be deemed as the sole enforcer of the GDPR in cross-border situations.")
Ireland's privacy watchdog had already signaled its displeasure with Facebook's response to this breach, noting that the DPC initially "received no proactive communication from Facebook" and had to query it directly before it received details.
On Wednesday, the DPC announced that "having considered the information provided by Facebook Ireland regarding this matter to date, [DPC] is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook users’ personal data."
As a result, the DPC opted to launch an investigation "to determine whether Facebook Ireland has complied with its obligations, as data controller, in connection with the processing of personal data of its users by means of the Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer features of its service." The regulator says it will review whether Facebook has violated any GDPR or DPA rules.
Under GDPR, breached organizations are required to share full details of an incident with regulators within 72 hours. Failure to comply with any aspect of the regulation can lead to fines of up to 20 million euros ($24 million) or 4% of the organization's annual global revenue - whichever is greater. Violators can also be stripped of their ability to process people's personal data.
Expect this latest Facebook breach investigation to be closely watched. Many European officials have previously signaled that they want to see Facebook do a better job of toeing the line when it comes to gathering, analyzing and protecting personal data, and have been calling for steeper sanctions when it fails to do so. This latest breach may not help the social network advance claims that it has truly been taking the security and privacy of its users' data seriously.