Data Protection Commission confirms formal investigation into Facebook data breach

Up to 50 million users impacted by glitch which opened personal data on users’ accounts to possible hacking

The Data Protection Commission has confirmed it has opened a formal investigation into a huge data breach impacting about 50 million Facebook users.

In a statement on Wednesday evening, the commisison said it had commenced an investigation under section 110 of the Data Protection Act 2018 into the breach it was notified of last Friday.

"In particular, the investigation will examine Facebook's compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it processes," the commission said.

It added that Facebook had informed the commission that its internal investigation was continuing and that the company continued “to take remedial actions to mitigate the potential risk to users”.



The social media company reported on Friday last it had discovered a security issue that allowed attackers to exploit a vulnerability in its code. This affected the “View As” feature, which allows people to see what their own profile looks like to someone else, therefore leaving users’ data exposed.

The commission, which is responsible for regulating Facebook's data processing activities in Europe, said at the weekend it was "concerned that this breach was discovered on Tuesday and affects millions of users".

The commission has also indicated it understands that "less than 10 per cent" of the impacted Facebook user accounts are those of users in the European Union.

This means about five million European accounts may be impacted.

However, Facebook says its data regarding the geographic location of its users is based on a number of factors, such as the user’s internet protocol (IP) address and “self-disclosed location”.

It says these factors may not always accurately reflect a user’s actual location.

Because Facebook's main establishment in the EU is in Ireland, the Irish Data Protection Commission is the "lead supervisory authority", or regulator for the company.

New powers granted to the EU’s data protection authorities under the GDPR allow the imposition of fines of up to €20 million or 4 per cent of total worldwide annual turnover in the preceding financial year, whichever is higher.

However, under the regulation, any penalties imposed on data controllers must also be “effective, proportionate and dissuasive”.


The commission also has the power to order companies such as Facebook to provide it with any information it requires in order to investigate such data breaches, and to carry out investigations in the form of data protection audits.

Facebook has also faced scrutiny this year over how third parties use its data after it emerged in March that Cambridge Analytica improperly accessed user data and used it in political campaigns.

In June, the company apologised to 14 million users that posts they intended to share privately may have been published publicly because of a bug affecting its “audience selector” tool, which allows users to decide whether to publish a post only to their friends or to a broader audience.

Facebook, which has its headquarters at 1 Hacker Way, Menlo Park, California, employs over 30,000 people worldwide, including about 2,500 in Ireland.