DPC statement, re: Dataset appearing online
06th April 2021
A dataset, appearing to be sourced from Facebook, has appeared on a hacking website this weekend for free and contains records of 533 million individuals. A significant number of the users are EU users. Much of the data appears to been data scraped some time ago from Facebook public profiles.
Previous datasets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone lookup functionality. Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR.
The newly published dataset seems to comprise the original 2018 (pre GDPR) dataset and combined with additional records, which may be from a later period.
The DPC attempted over the weekend to establish the full facts and is continuing to do so. It received no proactive communication from Facebook. Through a number of channels, it sought contact and answers from Facebook who have since indicated that:
“……… based on our investigation to date, we believe that the information in the data-set released this weekend was publicly available and scraped prior to changes made to the platform in 2018 and 2019. As I am sure you can appreciate, the data at issue appears to have been collated by third parties and potentially stems from multiple sources. It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information.”
Facebook assures the DPC it is giving highest priority to providing firm answers to the DPC. A percentage of the records released on the hacker website contain phone numbers and email address of users. Risks arise for users who may be spammed for marketing purposes but equally users need to be vigilant in relation to any services they use that require authentication using a person’s phone number or email address in case third parties are attempting to gain access.
The DPC will communicate further facts as it receives information from Facebook.