The Irish Data Protection Commission (DPC) has criticised Facebook for a lack of communication over how and when at least 1.3 million Irish mobile phone numbers came to be publicly leaked and shared.
The breach, which is part of a global leak of more than 500 million accounts, has left more than a quarter of Irish mobile phone users open to more fraudulent calls, scam texts and bogus WhatsApp messages.
It has also left thousands who are in sensitive work positions – from prison officers to gardaí and women’s refuge managers – vulnerable to harassment or stalking through their mobile numbers being made public.
“The DPC attempted over the weekend to establish the full facts and is continuing to do so. It received no proactive communication from Facebook. Through a number of channels, it sought contact and answers from Facebook,” said a spokesperson for the Irish DPC.
Facebook Ireland responded to queries about the leak with a two-sentence statement.
“This is old data that was previously reported on in 2019,” a spokesperson told the Irish Independent.
“We found and fixed this issue in August 2019.”
The social media giant is arguing that because the bulk of the data leak happened before the implementation of the General Data Protection Regulation (GDPR) in May 2018, it does not have to take any further action in relation to the matter.
“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” said the DPC.
There has been widespread criticism of Facebook for its lack of action on the issue. Unlike most data breaches where email passwords can be reset, most people do not change mobile numbers.
The Irish regulator is now warning of risks around spam and security, saying: “Risks arise for users who may be spammed.
“Users also need to be vigilant in relation to any services they use that require authentication using a phone number in case third parties are attempting to gain access.”