TENS OF THOUSAND of Facebook users in Ireland had private information like their phone numbers and emails exposed in a major hack last year, confidential correspondence from the social networking giant shows.
The total included more than 20,000 users who had both their contact details and other sensitive data like their birth dates and locations accessed by hackers.
The figures were included in an email to the communications minister, Richard Bruton, in the wake of the damaging security breach – which will be a major test case for the Irish Data Protection Commission’s enforcement of strict new EU data protection rules.
Facebook has not publicly shared a breakdown of how many users in Ireland were affected by the hack, which involved attackers stealing ‘access tokens’ for around 30 million accounts worldwide over a two-week period from 14 to 27 September.
The company later disclosed that around 10% of the accounts affected were believed to belong to EU-based users.
However in a message a few weeks after the hack to the minister, Facebook’s head of public policy for Ireland, Niamh Sweeney, revealed further details about the impact of the hack on the company’s local user base.
She disclosed that more than 42,000 users in Ireland had their details compromised in the breach.
The figure included:
The hackers were unable to read the private messages of those whose profiles were fully exposed, Facebook said, although the attackers would be able to see private messages sent to pages administered by members of that group.
We would be grateful if you could keep the numbers I’ve shard (sic) above confidential as we continue to work on this analysis,” Sweeney wrote in the email, which was obtained by TheJournal.ie.
A security weakness
Hackers exploited a weakness in Facebook’s code to carry out the attack, stealing tokens – which are normally used to allow people to remain logged into their accounts – that enabled them to effectively take over people’s accounts.
Speaking after Facebook first revealed details of the worldwide breach, CEO Mark Zuckerberg described it as a “really serious security issue”.
The company said it would notify the affected account-holders.
It has not been revealed who was behind the attack or what, if any, use was made of the compromised data.
The Data Protection Commission has since opened three separate statutory inquiries into whether Facebook had breached EU rules governing the handling of data after it was notified of the hack.
The commission, which acts as the defacto European watchdog for many major tech companies’ data practices due to firms like Facebook’s regional bases in Ireland, has the power to levy fines of up to 4% of a company’s yearly revenue under GDPR provisions.
In the case of Facebook, the penalty could potentially stretch to more than €1 billion – although any actual fines are likely to be much less than the maximum figure.
A commission spokeswoman said inquiries into the Facebook hack were “at an advanced stage”. It is currently conducting another five, unrelated investigations into the social network.
Know more about this story? Email the author via peter@thejournal.ie or send a message using the secure Threema app, ID: ESUCBYMK.
To embed this post, copy the code below on your site
have your say