Facebook did not notify the more than 530 million users whose details were obtained through the misuse of a feature before 2019 and recently made public in a database.
In a normal situation, a company would be hunkering down in damage control and be offering some decent excuses which would have been workshopped after hours of meetings with the PR team.
Not Facebook. It says it has no plans to tell anyone their details were nicked and rather than coming up with any excuse, it is going to blame “malicious actors” and get on with its life.
Facebook said in a blog post on Tuesday that “malicious actors” had obtained the data prior to September 2019 by “scraping” profiles using a vulnerability in the platform’s tool for syncing contacts.
The Facebook spokesman said the social media company was not confident it had full visibility on which users would need to be notified.
He said it also took into account that users could not fix the issue and that the data was publicly available in deciding not to notify users. Facebook has said it plugged the hole after identifying the problem at the time.
The scraped information did not include financial information, health information or passwords, Facebook said. However, the collated data could provide valuable information for hacks or other abuses.
Facebook, which has long been under scrutiny over how it handles user privacy, in 2019 reached a landmark settlement with the US Federal Trade Commission over its investigation into allegations the company misused user data.
The July 2019 FTC settlement requires Facebook to report details about unauthorised access to data on 500 or more users within 30 days of confirming an incident.
We guess Facebook does not have to worry about anything else any more.
Ireland’s Data Protection Commission, the European Union’s lead regulator for Facebook, said on Tuesday it had contacted the company about the data leak. It said it received “no proactive communication from Facebook” but was now in contact.