Facebook hit with $6 million penalty for customer data leak

Facebook logo on screens at the Nasdaq MarketSite, in New York's Times Square.[AP Photo/ Richard Drew]

Facebook has been ordered to pay over 6.8 billion won ($6.1 million) in penalties for the improper use of consumer information, the government saying the company provided private data on 3.3 million people to partners, stored passwords insecurely in plain text and interfered with the investigation.

The Personal Information Protection Commission (PIPC), a central administrative agency under the prime minister, initiated the crackdown after Facebook was scrutinized for its role in the 2016 U.S. presidential election.

The commission on Wednesday held the seventh session regarding Facebook and issued its ruling then. This is the first time a government agency has charged Facebook for Personal Information Protection Act (PIPA) violations.

PIPA details the rights of data subjects, including their right to be "informed of the processing of such personal information" and the right to "consent or not, and to choose the scope of consent, to the processing of such personal information."

“The suspicions that Facebook user information was illegally used during the 2016 U.S. presidential election led us to investigate Facebook,” said PIPC in a statement.

According to the commission’s investigation, from May 2012 to June 2018, Facebook provided the personal information to other businesses without user consent. It was found that the information of at least 3.3 million users among 18 million total users in Korea was transferred. The compromised information included the academic and career histories, birthplace, family or marriage status and interests.

When a Facebook user logs into a different entity’s service using the login information for their Facebook account, the information of their "Facebook friends" section is also accessible to the organization. Ahead of the 2016 presidential election, data of 50 million Facebook users was harvested by Cambridge Analytica, and that data was sold to the campaigns of U.S. political candidates.

“While operating a medium called ‘Graph API V1,’ which helps the developers of third-party organizations run their services based on the user information, Facebook did not receive consent for providing the personal information to third parties,” said Song Sang-hoon, PIPC's director general for investigation and coordination. “Considering that the information of ‘Facebook friends’ may have been provided to a maximum of 10,000 applications, there could be more personal information compromised.”

PIPC also stated that Facebook interfered with the investigative process by submitting incomplete documents. Facebook fabricated parts of the submitted content when the commission mandated the company submit documents proving when it stopped the violations.

“When PIPC showed Facebook its counterevidence, Facebook made it difficult to calculate the duration of violation by submitting relevant documents 20 months after the requested date,” the commission said.

Facebook is also accused of interfering with the government’s attempt to calculate the size of the offense. According to the commission, Facebook only provided the number of users, even though it has given third-party companies information of users as well as their "friends."

The majority of the penalty was 6.8 billion won of disgorgement, the maximum under PIPA, whereby the proceeds of wrongful conduct are charged. The commission also charged Facebook 66 million won for other offenses, such as saving the passwords unencrypted, failing to notify the users at least once a year of the history of personal information use and submitting false documents.

BY HEO JEONG-WON, LEE JEE-YOUNG [lee.jeeyoung1@joongang.co.kr]