In the past week, it has been widely reported that the personal data of over 533 million Facebook users (including over 11 million users in the UK) was leaked online. This personal data included, amongst other things, full names, phone numbers, birthdates and locations.
Facebook has responded by stating that this is an old breach as the data leak itself occurred in 2019 and that the personal data in question has since been secured.
Under the UK GDPR, there are penalties for organisations that fail to report data breaches promptly. Recital 87 of the UK GDPR says that when a security incident takes place, an organisation should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the Information Commissioner’s Office (ICO) if required.
Notifiable data breaches must be reported to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If an organisation exceeds this time limit, they must be able to give genuine reasons for the delay.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
The argument used by Facebook in branding the data breach as old is an interesting one, since the personal data of the nature that was leaked in this instance rarely changes. For example, a Facebook user’s date of birth would be the same in 2019 as it is today. This sort of leaked personal data could still therefore be extremely valuable to cybercriminals who use a combination of personal data to attempt identity theft or discover login credentials, despite being years old.
Given the risk posed by personal data being in the wrong hands at any point in time, the Facebook data breach story serves as a lesson that organisations should put in place measures to reduce the risk of any data breaches and ensure responses to any such breaches are managed in accordance with the UK GDPR.