Facebook leak reveals personal data of hundreds of Irish officials in sensitive positions

Defence Forces is aware of Facebook data leak and is ‘taking appropriate steps’

Private information relating to up to 1.5 million Irish Facebook users has been exposed in the leak, part of the leaking of 500 million profiles worldwide. Photograph: Josh Edelson/AFP
Private information relating to up to 1.5 million Irish Facebook users has been exposed in the leak, part of the leaking of 500 million profiles worldwide. Photograph: Josh Edelson/AFP

The personal data of hundreds of Irish people working in sensitive State positions has been exposed in a Facebook data leak, including that of gardaí, prison officers and Revenue staff.

Private information relating to up to 1.5 million Irish Facebook users has been exposed in the leak, part of the leaking of 500 million profiles worldwide. The leaked data first surfaced in 2019. However, until this month the files were difficult to find and access was usually obtainable for a fee.

The data resurfaced this month and entered wide online circulation and can now be easily accessed by people with only minimal computer knowledge.

The leaked data includes more than 1,900 profiles of Irish users who say they are members of the Defence Forces and more than 350 profiles listing the Garda as their employer.

READ SOME MORE

A Defence Forces spokesman told The Irish Times on Tuesday it was aware of leak and was “taking appropriate steps”.

The data leak includes the mobile phone number, Facebook ID and full names associated with each profile. In many cases it also includes employers’ and spouses’ names, email addresses, dates of birth and dates of account creation.

This data is not only a "treasure trove" for scammers but could also pose a personnel safety risk to people in sensitive positions such as those working in the public security sector, said Brian Honan, chief executive of BH Consulting, a cybersecurity and data-protection firm.

The employment data was gathered by Maciej Makowski, a cybersecurity expert and former member of the Garda National Cyber Bureau. It has been confirmed by The Irish Times.

Other public bodies whose members have had their data exposed include Revenue (171 listings), Customs (20), the Director of Public Prosecutions (three) and the departments of Justice (174), Defence (112) and Foreign Affairs (74).

Twenty-eight leaked profiles stated they worked for the Irish Prison Service (IPS), including a small number who said they worked in Portlaoise, the State's maximum-security prison.

Targeted attacks

Cybersecurity experts said the leak is concerning for several reasons. As well as increasing the danger of harassment and malicious phone calls, the data leak allows for targeted malware or phishing attacks on individuals in sensitive positions.

It may also allow criminals to identify the family members of people in sensitive positions, through their Facebook network, even if their profile uses a false name.

“Getting someone’s emails address or phone is not impossible but it usually takes a bit of work. This is a one-stop shop,” said Mr Honan.

“For people in sensitive positions, it could potentially pose a personal safety risk them and to their families, not just a scamming risk.”

For gardaí, there will be concern that some of the leaked mobile numbers might be for official Garda phones, including ones used for sensitive matters such as contacting covert human intelligence sources or international liaison, Mr Makowski said.

According to a 2014 Garda headquarters directive, members should be “mindful” of putting anything online which may identify them as a Garda.

Caution advice

Defence Forces personnel are not discouraged from identifying themselves on social media but are warned to “always maintain personal and operational security and be careful about the information that is shared online. If in doubt, leave it out.”

Mr Honan said if a Facebook user believes their data has been leaked they should be “extremely careful” of any unrecognised messages or links they receive.

Mr Makowski recommended, at the very least, users delete their Facebook accounts “and consider if you actually need a new one”.

Conor Gallagher

Conor Gallagher

Conor Gallagher is Crime and Security Correspondent of The Irish Times