Affected by a record data breach, Facebook does not intend to simplify the task of data protection authorities. The social network yesterday published a statement providing an update on the file concerning 533 million accounts, posted since the beginning of the month on a forum. This contains data belonging to users of the social network, including their last name, first name and telephone number, as well as additional information.
This type of data leak is regulated in Europe by the GDPR, when European citizens are concerned by the incident. And with around 20 million French citizens in the leaked file, it’s hard to pretend this was not the case. However, Facebook’s reaction to the leak raises questions: the social network told Reuters that it had not warned users affected by the data leak and that it did not intend to do so at the future. In addition, Facebook did not report the data leak to the Irish data protection authority, and it is the authority that came to question Facebook on this subject, as it indicated in a statement on Monday. .
In its press release published yesterday, Facebook explains that this data did not come from hacking into its network, but was recovered via a technique known as “scraping”. This term refers here to programming automated data recovery tools freely accessible on the web. In the case of Facebook, the data retrieved does indeed come from the public pages of user accounts. Only the phone number is not public information, but Facebook explains that in 2019 it identified a flaw in its system, which made it possible to retrieve the phone numbers associated with an account. Flaw that the social network corrected in 2019. Facebook does not give more details on the follow-up it intends to give to the case, simply urging the affected users to be cautious.
A risk to be assessed
The Irish data protection authority, the DPC, is responsible for investigating this flaw, with Facebook’s head office being based in Ireland. The CNIL said it had also taken up the case and worked with it to verify “the circumstances of the violation” and “the measures taken by Facebook, in particular the possible direct communication to those affected by the leak”.
The issue of communication to users is delicate: the GDPR provides that in the event of “high risk” for users, companies must notify data leaks to the persons concerned. When in doubt about the level of risk posed by data breaches, it is up to data authorities to judge whether or not the company should notify affected users. Likewise, the GDPR provides for the affected company to notify the data protection authority of the leak, in this case the Irish authority. But as the DPC explains in its press release on Monday, Facebook believes that this data comes from a scraping operation that took place “between June 2017 and April 2018”, and therefore before the entry into force of the GDPR. And therefore that the social network was not required to notify this data leak to the authorities.
Victims in the dark
Facebook therefore refuses to be overzealous. However, the social network does not have a good press in terms of data protection and faces many criticisms, in Europe and across the Atlantic, on data leaks belonging to its users. But more than trying to save an image that is already well tarnished, the social network apparently prefers to avoid setting a precedent that could harm it in the future.
The data protection authorities will have to decide, but the case highlights a subject that we risk revisiting in this type of case: the difficulty of preventing the victims of these data breaches. Online services make it possible to check whether an account appears in the stolen file, but the CNIL advises against their use. If the data protection authorities judge, as Facebook seems to think, that the risk of this data breach is not high enough to force the social network to alert affected users, who will? In view of the number of affected users, the CNIL recommends that all users who had a Facebook account between 2016 and 2019 to consider themselves affected by this data breach, “without seeking to verify whether this is indeed the case. “.