Although the personal information of hundreds of millions of Facebook User was recently leaked online the company says it has no plans to notify those affected. The incident, made possible by a bug in the platform’s contact synchronization feature, reportedly affected 533 million users in 106 different countries and revealed personally identifiable information (PII) such as names, email addresses, phone numbers and more.
If asked to justify the decision not to alert victims, a Facebook The spokesman stated that the company does not yet have a full picture of the specific users involved in the breach. The fact that no action was required to correct the problem would also have contributed to the decision.
The leak was first discovered by security researcher Alon Gal, co-founder of security research firm Hudson Rock, who spoke to a number of affected users to verify the legitimacy of the data.
After the incident came to light Facebook stepped in to make it clear that the data was not stolen by hacking, but rather scraped from the platform. However, the nature of the information disclosed could form the basis for various future attacks on the data subjects.
In many cases, companies are required by law to notify both regulators and victims of a data breach. However, due to the complexity and differences between regulations in different areas (and even in different states), reporting requirements do not always apply.
For example, in the UK, a company must notify victims “when a violation is likely to result in a high risk to individual rights and freedoms”. Even then, this obligation does not apply if the stolen data was securely encrypted before the theft or if measures were subsequently taken to limit the extent of the potential damage.
In any event, it has traditionally been considered good faith for a company to alert its customers immediately after such a cyber incident. But in this case Facebook Users should take proactive steps to find out if their data has been compromised.