The Irish Data Protection Commission (DPC) is probing whether any of the data records of 533 million Facebook users published over the weekend were leaked after the implementation of the General Data Protection Regulation (GDPR).

A dataset, appearing to be sourced from Facebook, appeared on a hacking website containing records of 533 million individuals, including phone numbers and email addresses,

The DPC said a significant number of users were European Union residents and much of the data appears to have been scraped from Facebook profiles.

The DPC said the newly published dataset appears to comprise records from previous datasets published in 2018 and 2019 and scraped from Facebook between June 2017 and April 2018 before the social media firm closed off a vulnerability in its phone lookup functionality.

These leaks were before the implementation of GDPR in May 2018 and therefore Facebook did not notify the DPC.

However, the DPC is saying that there also “additional records” in the newly published dataset “which may be from a later period” and therefore under the scope of GDPR.

According to the DPC, Facebook has said the following in response: “Based on our investigation to date, we believe that the information in the dataset released this weekend was publicly available and scraped prior to changes made to the platform in 2018 and 2019.

“As I am sure you can appreciate, the data at issue appears to have been collated by third parties and potentially stems from multiple sources. It therefore requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information.”

A DIPC spokesperson said the commission will continue to establish “the full facts”.

He said: “Facebook assures the DPC it is giving highest priority to providing firm answers to the DPC.

“A percentage of the records released on the hacker website contain phone numbers and email address of users. Risks arise for users who may be spammed for marketing purposes but equally users need to be vigilant in relation to any services they use that require authentication using a person’s phone number or email address in case third parties are attempting to gain access.”

A spokesperson for Facebook said: ”We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people easily find their friends to connect with on our services using their contact lists.

”When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users.” 

Register to receive the latest data protection and privacy news and analysis straight to your inbox