Facebook data breach: 5m accounts in EU may be impacted

Oireachtas committee to raise questions on latest security issue affecting 50m users

About 5 million European accounts may be impacted by the massive data breach affecting the accounts of 50 million Facebook users worldwide, it has emerged.

The social media company reported on Friday it had discovered a security issue that allowed attackers to exploit a vulnerability in its code. This affected the “View As” feature, which allows people to see what their own profile looks like to someone else, therefore leaving user’s data exposed.

The chair of the Joint Oireachtas Committee on Communications, Hildegarde Naughton, is to raise the Facebook data breach at the committee's meeting on Tuesday afternoon.

In its announcement in a blog post on Friday, Facebook said it was taking the issue “incredibly seriously”.


The Irish Data Protection Commission, which is responsible for regulating Facebook's data processing activities in Europe, said it was "concerned that this breach was discovered on Tuesday and affects millions of users".

It said at that time Facebook was “unable to clarify the nature of the breach and risk to users” and that it was pressing the company to “urgently clarify these matters”.

In a statement on Twitter on Monday evening, the commission said it understood the number of potentially affected EU accounts “is less than 10 per cent of the 50 million accounts in total potentially affected by the security breach”. This means about 5 million of the users affected by the breach may be in the EU.

“Facebook has assured us that they will be in a position to provide a further breakdown in relation to more detailed numbers soon,” the commission added.

Facebook says its data regarding the geographic location of its users is based on a number of factors, such as the user’s internet protocol (IP) address and “self-disclosed location”.

It says these factors may not always accurately reflect a user’s actual location.

Ms Naughton said on Friday it was “quite alarming Facebook users have suffered such a data breach”.

She said it highlighted “the precarious nature of uploading sensitive or personal content into the trust of social media giants”.

“What security measures are in place for account holders and what are Facebook doing to prevent such a future occurrence? These are just some of the questions that we require answers for.”

Facebook has also faced scrutiny this year over how third parties use its data after it emerged in March that Cambridge Analytica improperly accessed user data and used it in political campaigns.

In June, Facebook apologised to 14 million users that posts they intended to share privately may have been published publicly because of a bug affecting its “audience selector” tool, which allows users to decide whether to publish a post only to their friends or to a broader audience.

Because Facebook's main establishment in the EU is in Ireland, the Irish Data Protection Commission is the "lead supervisory authority", or regulator for the company.

New powers granted to the EU’s data protection authorities under the General Data Protection Regulation (GDPR) allow the imposition of fines of up to €20 million or 4 per cent of total worldwide annual turnover in the preceding financial year, whichever is higher.

However, under the regulation, any penalties imposed on data controllers must also be “effective, proportionate and dissuasive”.

The commission also has the power to order companies such as Facebook to provide it with any information it requires in order to investigate such data breaches, and to carry out investigations in the form of data protection audits.

Facebook, which has its headquarters at 1 Hacker Way, Menlo Park, California, employs over 30,000 people worldwide, including about 2,500 in Ireland.

It claims 1.47 billion daily users as of June this year and reported $40.7 billion in revenues, or $15.9 billion in net income, in 2017.

What powers does the Data Protection Commission hold

Under the EU regulation, all data protection authorities, including the commission, have extensive powers of enforcement. This includes the power to obtain access to any premises of a data controller or processor, and to its equipment. They may issue warnings that data processing activities infringe, or are likely, to infringe provisions in the regulation.

They may also issue “reprimands” where processing operations have been in breach of the law and they may order the data controller or processor to bring their data processing operations into line with the regulation. The data regulators may specify the manner in which this is to be done and they may specify a timeframe within which it has to be done.

Data protection authorities also have powers to order data controllers to notify the individuals impacted in a data breach. They may impose a “temporary or definitive limitation” on their activities, including a ban on processing personal data.