Facebook mobile app on phone screen showing legal action on data leak

Facebook Anticipating Legal Action From Data Leak, EU Digital Privacy Group Preparing Mass Action Lawsuit

The first signs of legal action against Facebook over the recent data breach have appeared, as an EU digital privacy group has announced plans to take the social media giant to court in Ireland. The data leak impacted some 530 million Facebook users and included email addresses and phone numbers in some cases.

In the meantime, an internal email that was leaked to the media indicates that Facebook is planning to downplay the seriousness of the incident as a public relations strategy and does not appear to be overly concerned about the potential legal consequences.

Facebook legal action could compensate victims with thousands of euros

Calling the data leak “recent” is a bit of a mischaracterization, as the incident itself actually took place around August 2019. It was not revealed to the public until early this month, however, as the stolen data surfaced in a public database.

The data leak traces back to a now-modified feature that previously allowed Facebook users to be looked up by the phone number attached to their account. Anyone could simply enter a phone number into a search tool, and if it matched an existing account it would pull up the user profile. While the profile would only show information that the user already made public, the phone number was often private and could now be tied to it.

An unknown party scraped Facebook’s database for information on hundreds of millions of profiles (from 106 different countries) by entering phone numbers in this way in 2019. Facebook appears to have become aware of the vulnerability around August of that year and patched it, but did not notify its users of the data leak. The incident might have never come to light if the database had not appeared on an underground hacking forum several weeks ago, containing information that ties phone numbers to email addresses and other public Facebook profile information. Facebook issued a statement indicating that it still does not plan to notify the affected users individually.

It is unclear how many of these users were EU residents, but the region has over 400 million active users as of Q4 2020. Digital Rights Ireland (DRI) is preparing to organize them for legal action, planning a mass action suit (very similar to a class action) that the group says could pay each member up to €12,000 based on results from other comparable cases. The group estimates that about 1.5 million residents of Ireland will be eligible for the legal action. The Irish Data Protection Commission has already announced its own separate investigation into the data leak, which could put Facebook on the hook for fines of up to 4% of its annual turnover if a General Data Protection Regulation (GDPR) violation is found.

Data leak presents a potentially massive problem, but Facebook remains unworried

Meanwhile, Facebook appears to be relatively unconcerned about any legal action or the regulatory fallout from the breach. Ironically, we know this because of another data leak; someone at the company accidentally CC’d Belgian magazine Data News on an internal email laying out the company’s planned PR response to the incident.

The most interesting point of the leaked email is that Facebook appears to be anticipating even more data leaks coming down the pipe, though the author did not go into specifics. The company plans to respond to the current breach by framing it as a normal industry occurrence, something that should be expected by consumers. Facebook appears to be hoping that if it downplays the incident and limits statements about the proposed legal action, media coverage will soon die down.

Facebook confirmed to the BBC that the email was genuine. The company said that it had plans in the works to limit scraping, but appeared to already be putting its PR strategy to work by referring to the similar recent data leaks experienced by Clubhouse and LinkedIn.

Though Facebook is actively downplaying the looming legal action, Tony Pepper (CEO at Egress) believes that this case could end up having serious repercussions: “Due to the scale of the incident, this latest case against Facebook could prove incredibly costly and will undoubtedly send shockwaves across the tech industry and beyond. Global technology companies like Facebook collect vast amounts of data on hundreds of millions of users, simply as the “cost of doing business” with them. We’re now seeing litigation being used as a powerful mechanism to hold all companies, including tech giants, to account over the security of this data.”

While the Irish DPC could provide substantial assistance to any legal action by establishing that there was a GDPR violation, those participating in the lawsuit should not hold their breath waiting for help from this particular source. The regulator currently has a number of open investigations into Facebook’s privacy and data security practices, but has yet to take any actions aside from a preliminary suspension order (in the Privacy Shield case) even though some of these cases were initiated in 2018 and 2019. The Irish DPC has also been sparing with fines for the other tech giants headquartered in its country to date, issuing just one to Twitter that was well below the maximum allowed.

Facebook users can check to see if their personal information is included in the breach at the haveibeenpwned website, which has indexed the contents of the data leak and allows for searching user data either by phone number or email address.