The data breach suffered by Facebook is now thought to have compromised the personal details of 3m of the social network’s users in Europe, the Irish Data Protection Commission (IDPC) has announced.

Facebook discovered the breach at the end of September this year, after hackers managed to access user accounts via a glitch in the platform’s ‘view as’ feature. The tool, created as a means to strengthen privacy, allows users to see how much of their profile is visible to other Facebook and web users.

Initial reports suggested that the leak exposed the details of around 50m user accounts, a figure subsequently revised down to around 30m. Of this number, 14m had other personal information exposed, including gender, recent check-in locations and relationship statuses.

Facebook would not reveal the number of European accounts hit at the time, only disclosing to the Irish Data Protection Commission that EU-based victims accounted for 10% of those affected.

As reported by the CNBC news website, the IDPC – Ireland’s regulator for data law in Europe – has learned that around 3m account holders on this side of the pond were affected.

Policing challenge

The latest Facebook data breach is one of the first big tests of the General Data Protection Regulation, and organisations across industries will be taking a keen interest in how regulator penalties play out.

The social network’s reporting of the issue within 72 hours of discovery will act as a mitigating factor to disciplinary action. The enforcers of GDPR can fine transgressing companies with a fine of up to 4% of annual global revenue, or €20m, whichever is the greater.

While investigations into the leak continue, the IDPC says:

“The update from Facebook last Friday, 12 October, was significant as Facebook has confirmed that the personal data of millions of users was taken by the perpetrators of the attack. The Data Protection Commission’s statutory investigation into the breach and Facebook’s compliance with its obligations under the GDPR continues.”

Vera Jourova, the EU’s justice commissioner, said:

“We have very strict rules and we have very strong instruments to discipline the companies which deal and which handle the private data of people, which is obviously the case with Facebook.”


GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/


comments powered by Disqus