A Facebook data breach has hit the news again with reports of 533 million user accounts being exposed to hackers.  The breach in question reveals the contents of data which Facebook claims had already been exposed by a previous leak, Facebook say they fixed the leak back in 2019. Now the dataset is has popped up again, available free of charge from a hacking forum, which means it is widely available to anyone who wants it.

Facebook tried to calm the waters by assuring us that the data was leaked “years ago” (in 2019) and has since been secured. Is it just me or does anyone else think 2019 was actually not that long ago? After all, 2020 was not a socially eventful year for any of us, thanks to the pandemic. And even if the breach was years ago, would that be a good reason to think the data is no longer of value to people? My mother has not used her maiden name for years, yet it is still data I would rather not share with a hacker. The same could be said for the name of my first pet or school, both also typical ecurity questions. Unlike login details, these type of data are not so easy to change.

The Irish data protection regulator (the DPC) are also concerned about Facebook’s relaxed response to the news and are examining whether the breach has already been reported, as Facebook claim. Other EU regulators are calling for the Irish DPC to take a tough stance in the enquiry.

But maybe the best news is that digital privacy group Digital Rights Ireland (DRI) are launching a “mass action” to sue Facebook on behalf of EU citizens under the GDPR right to monetary compensation for breaches of personal data. DRI said individual users who take part in the legal action could be offered compensation of up to €12,000 (£10,445) if it is successful – based on what it says are similar cases in other countries.

Back in February this year, a mass legal action was launched in the UK by writer Peter Jukes on behalf of himself and a million UK Facebook users for allowing the harvesting of personal data by the app ‘This is Your Digital Life’, including not only personal data of the app user but that of their Facebook friends as well. See our February blog for details.

Under the GDPR the maximum fine possible is 4% of global annual turnover. However, if these claims are successful, the cost to Facebook will be a far larger deterrent. And they will pave the way for future such claims to provide a way to hold technology giants to account for their lack of regard for individuals’ personal data.