Data breaches, fines and…friend requests?

We’re living in a world that increasingly thrives on data. As consumers, we can only hope that once we hand our data over to an organisation, it will do everything possible to secure it. That’s the dream, anyway. 

The reality, as always, is a bit more complicated. 

Facebook app update bug leaves some users red-faced 

Facebook rolled out an update for its mobile app this month that accidentally sent a friend request to anyone whose page you visited. Of course, this meant some users found themselves in a bit of a pickle (you may not want, for example, to add your ex’s new partner as a friend or to send friend requests to any other random person whose profile you just wanted a good nose through). 

One TikToker said the app had sent friend requests to her ex of 10 years…and his wife. Another user said that it’d sent requests to two interviewers they were about to meet – which made them cancel the interview out of embarrassment. 

Facebook was quick to apologise, fix the error (cancel friend requests made since the update) and provide a way for people to check any recent friend requests sent from their account. 

While it’s unclear how the error happened, faulty software updates are common. There are probably things Facebook could have done to prevent the problem, but the important thing is that it acted swiftly, fixed the issue, apologised and gave users a way to re-establish control over their friends list. 

Facebook’s also facing a record fine for mishandling user data 

The more significant issue for Facebook is the €1.2bn fine it’s been landed with after Ireland’s Data Protection Commission found it guilty of GDPR breaches. The platform also has five months to stop transferring user data from the EU to the US and six months to remove EU user data from US-based servers. 

The fine follows concerns raised by a privacy campaigner about how secure user data was from US intelligence agencies. 

Meta is appealing the decision and said it was “disappointed” to have been “singled out”. In addition to raising concerns about creating multiple internets, Meta has said that if it can’t transfer data, it might be unable to provide services like Facebook and Instagram in Europe. 

It’s a decision that serves as a warning to take GDPR seriously, but it could also have major implications for Facebook and Instagram users and brands if Meta seriously considers withdrawing these apps from the EU market. 

Counting the cost of Capita’s data breach 

Data service company, Capita, says it’s continuing to investigate the hack that it suffered in March – which could cost it £15-£20 million. 

Meanwhile, one of its clients, Colchester Council, has raised concerns about how data (including individuals’ benefits data for FY 2019/20 and 2020/21) was stored in an “unsecured Amazon Data Bucket”. The UK’s largest private pensions provider, USS, has also warned that the personal data of up to 500,000 members may have been stolen as a result of the breach. 

There’s a great breakdown of what we know so far about how the incident happened over on IT Governance, but some key points worth noting are that:  

  • It was a ransomware attack that took nine days to interrupt and impacted 4% of Capita’s IT systems, and the gang behind it quickly started selling the data on the dark web. 
  • The messaging around exactly what data has been affected is confused, with some reports saying that customer, supplier, and employee data may have been stolen and others saying employee and supplier data wasn’t affected. 
  • A variety of data was stolen in the attack, from bank account details for organisations, confidential documents, and passport scans to the personal details of people who applied for teaching jobs and floor plans of various buildings. 


Until the investigation is complete (which Capita thinks will be on 27th May), we won’t know the full extent of the attack and how the attackers were able to breach the systems of such a major company (which counts the NHS and DWP among its clients). 

What’s clear, though, is that by targeting data service companies like Capita, hackers can gain access to a vast quantity and variety of data – which businesses need to keep in mind for their risk assessments. 


Data breaches, whether from a fluke human error or a prolonged attack, can be incredibly damaging to organisations and individuals (which is one reason why Facebook is facing such a large fine for how it handles its users’ data). 

It’s vital to get security right from the start, but if the worst should happen, it’s also important to communicate with clarity, confidence, and empathy – while also doing everything you can to fix the problem. 

Featured photo by Markus Spiske on Unsplash

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Is deinfluencing a threat to brands?
Why brands must be prepared to stand by their inclusive values during Pride and beyond


Related posts