The Federal Trade Commission is likely to investigate whether the social media giant had reasonable defenses to guard against such an episode and could fine Facebook if its security is deemed insufficient, according to former FTC officials.
Whether Facebook told users about the leak could bring further attention from state attorneys general looking to hold the company accountable under their breach notification rules. Consumers could also bring class action lawsuits if their information was among the data.
“One question as a regulator I’d want to know is how long was this vulnerability there?” said David Vladeck, a Georgetown University law professor who was previously director of the FTC’s Bureau of Consumer Protection.
“If this was a scraping vulnerability and they were unaware of it for a long time, that would be problematic,” Vladeck said.
The data, which re-emerged online over the weekend, is from an earlier flaw revealed in 2019, which Facebook has fixed, a company spokeswoman tweeted. Information said to be exposed includes phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.
Facebook said in a statement Tuesday the incident is a result of scraping, a technique that extracts data from a website, usually with automated software. The company said it believes malicious actors used Facebook’s contact importer, a feature designed to help people easily find their friends using their contact lists.
“We’re focused on protecting people’s data by working to get this data set taken down and will continue to aggressively go after malicious actors who misuse our tools wherever possible,” Facebook product management director Mike Clark said. “While we can’t always prevent data sets like these from recirculating or new ones from appearing, we have a dedicated team focused on this work.”
The incident could be considered a violation of Facebook’s $5 billion privacy settlement with the FTC to resolve the Cambridge Analytica data scandal, according to Ashkan Soltani, former chief technologist for the FTC. That means Facebook could face a fine as a result.
One challenge for regulatory oversight is that the Cambridge Analytica settlement included a provision shielding Facebook from liability for any similar incidents that occurred prior to June 12, 2019, Soltani said. So the question is whether this data leak falls under the terms of that agreement or whether the FTC could bring another case against Facebook, he said.
“Regulators might see this as an older issue that just cropped up,” said Soltani, who worked on an earlier FTC investigation into Facebook over claims of publicizing user data that led to a settlement in 2011.
A spokeswoman for the FTC declined to comment, saying its investigations aren’t made public.
The incident, and its coverage in news media, is likely to spawn litigation against the social media giant, said Melissa Krasnow, a privacy and data security partner at VLP Law Group in Minneapolis.
“With consumer lawsuits, people could allege negligence or bring claims under broader consumer protection statutes,” Krasnow said. “There may also be shareholder derivative suits or federal securities law class actions.”
Claims brought under the California Consumer Privacy Act—the state’s landmark privacy law that contains a narrow private right of action for some data breach incidents—may ultimately fail, given the nature and timing of the incident, but that likely won’t stop attorneys from suing anyway, she said.
Outside of the FTC, state attorneys general may also investigate Facebook and its privacy practices, said Andrea Matwyshyn, associate dean of innovation and professor at Penn State Law.
“They may engage in an additional investigation relating to the practices of Facebook that led to the disclosure of this information,” Matwyshyn said.
Those attorneys general may also examine whether Facebook properly disclosed the incident in line with data breach notification reporting standards, she said. And the fact that the data leak affected European and Australian users may also spur regulatory activity in those regions and greater scrutiny of Facebook’s privacy practices overseas, Matwyshyn said.
Although the data was allegedly leaked in 2019, its resurfacing now—and its being freely and publicly accessible—amplifies the risk for fraud, said Linn Freedman, a data privacy and security partner at Robinson & Cole LLP in Providence, R.I.
“It widens the entire magnitude of accessibility and its use for fraudulent purposes,” Freedman said. “All of this info could be used by hackers, but also by amateurs for phishing and social engineering.”
The fact that full names were combined with other identifiable information including phone numbers makes it easier for bad actors to take advantage of unsuspecting victims, Freedman said. Phone numbers and emails are also often used for multi-factor authentication, meaning the leaked information could potentially be used to fuel other fraud schemes.
The publicity and magnitude of this incident—with half a billion users affected—should be a “wake-up call” for anyone using online platforms, said Teresa Murray, consumer watchdog director for the U.S. Public Interest Research Group.
“We cannot allow our privacy to be invaded more,” Murray said. “People are going to be a lot more skeptical and a lot more careful about providing this whole trove of information to social media platforms.”