Facebook initially considered breach not eligible for notification in Australia

Data for up to 111,813 Australian users may have been accessed as a result of the September 2018 incident.

Facebook in September revealed it was the target of a network incident that saw attackers exploit a code vulnerability, allowing them to steal access tokens that are used to keep Facebook users logged in when they switch over to a public profile view via the "View As" feature. The vulnerability comprised of three separate bugs.

Initially, Facebook overshot the number of affected users, but the 50 million figure dropped to just over 29 million in early October.

As revealed in email communications made public by the Office of the Australian Information Commissioner (OAIC) following a freedom of information (FOI) request, Facebook on October 13 had determined that data for up to 111,813 Australian users may have been accessed as a result of the incident.

However, Facebook a few days prior did not think the incident was an eligible breach under Australia's Notifiable Data Breaches (NDB) scheme.

Under the NDB scheme, agencies and organisations in Australia that are covered by the Privacy Act are required to notify individuals whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.

"At this stage we do not consider the incident to be a an eligible data breach under the Australian Notifiable Data Breaches scheme, however, we will continue to keep you and users informed about the incident and any developments," the social media giant's legal team wrote in an email on October 1 to the OAIC.

In general terms, an eligible data breach under the Commonwealth scheme refers to the unauthorised access, loss, or disclosure of personal information that could cause serious harm to the individual whose personal information has been compromised.

Examples of a data breach include when a device containing customers' personal information is lost or stolen, a database containing personal information is hacked, or personal information is mistakenly provided to the wrong person.

In its October 13 update to the OAIC where Facebook revealed that over 100,000 Australians may have had their data obtained, it disclosed that the full name, email address, and phone number of an estimated 47,912 Australian accounts were potentially exposed.

Further, an estimated 62,306 Australian users may have had additional information obtained, including: Username, full name, nickname, email address, phone number, gender, language spoken, relationship status, religion, hometown, current listed location, recently checked-in locations, birthday, the devices used by the user to access Facebook, education history, work history, any websites listed on the user's profile, if the user was verified by Facebook, search queries on Facebook, and potentially the top 500 accounts the user follows.

For an estimated 1,595 further Australian users, in addition to the information potentially obtained in relation to the first two groups of users, the attackers may also have their hands on users' timeline posts, their entire list of friends, groups they are members of, and the names of conversations in Facebook's Messenger application.

Not sure if you need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia  

While discussing this incident with the OAIC, Facebook in December advised that it was the subject of another potential breach, this time affecting people who used Facebook login to share photos with third-party app developers.

"We can confirm we do not currently believe the incident meets the requirements of the notifiable data breach reporting scheme. We hope to provide further information on your enquiries shortly," the email sent to the OAIC on December 15 reads.

A Facebook investigation revealed that 1,500 apps built by 876 developers might have been able to access the non-public photos of up to 6.8 million users.

The office led by Information and Privacy Commissioner Angelene Falk is still investigating Facebook over the Cambridge Analytica scandal that saw over 300,000 Australian users have their information misused.

The OAIC has not released any further information on any of its Facebook investigations following the release of its email communications with the social media giant.

RELATED COVERAGE