The personal data of 188,200 Facebook accounts opened from Luxembourg have been made available on the internet. The data includes phone numbers, names, marital status, employer details, place or date of birth, and e-mail addresses.
On Saturday, an Internet user revealed that he had made available for free the data of more than 500 million accounts worldwide, including 32 million accounts in the United States, 11 million in the United Kingdom and 6 million in India.
A Facebook spokesperson, interviewed by Business Insider, which revealed the story, said that the flaw that lead to the data being leaked had been corrected by August 2019, without specifying whether users had been notified by Facebook about the loss of their data, as required by the General Data Protection Regulation (GDPR).
Even if the flaw was corrected, the data could allow hackers to steal the identities of tens of thousands of people. Especially phone numbers, which can allow copying of SIM cards and hijacking dual authentication.
The National Commission for Data Protection says the issue is being managed by the Irish Data Protector, where Facebook has its headquarters. Questioned by Paperjam, it indicated, on Monday afternoon, that some of the data leaked dates from before the entry into force of GDPR - implying that it did not breach regulations by not reporting the problem.
“The Data Protection Commission has tried over the weekend to establish all the facts and continues to do so. It has not received any proactive communication from Facebook. Through a number of channels, it sought contacts and responses from Facebook, which has since indicated that 'based on our investigation to date, we believe that the information contained in the dataset released this weekend was publicly available and retrieved prior to the 2018 and 2019 platform changes. As I'm sure you can appreciate, the data in question appears to have been collected by third parties and potentially from multiple sources. A thorough investigation is therefore necessary to establish its provenance with a sufficient level of confidence to provide your board and our users with additional information.’”
Facebook has said that it places the highest priority on providing firm responses to the Data Protection Commission. A percentage of the records posted on the hackers’ website contain users’ phone numbers and email addresses. Risks arise for users who may be spammed for marketing purposes, and users should also be vigilant about services they use that require authentication using a person's phone number or email address in case third parties attempt to access.
The Data Protection Commission has said it will share additional facts as they receive information from Facebook.
This article was originally published on Paperjam. It has been translated and edited for Delano.