> series: anatomy_of_a_breach —— part: 111 —— target: facebook_users —— profiles: 87,000,000 —— purpose: political_manipulation<span class="cursor-blink">_</span>_
In March 2018, The Guardian, The New York Times, and Channel 4 News published investigations revealing that Cambridge Analytica — a British political consulting firm linked to SCL Group — had harvested the personal data of up to 87 million Facebook users without their explicit consent. The data was collected through a personality quiz app called 'thisisyourdigitallife', developed by academic Aleksandr Kogan. While approximately 270,000 people installed the app, Facebook's API at the time allowed the app to harvest data on those users' friends as well — enabling mass collection far beyond the app's direct users.
The harvested data — including likes, interests, demographic information, and personality traits — was used to build psychological profiles of voters, which Cambridge Analytica then used for targeted political advertising during the 2016 US presidential election and, reportedly, the UK's EU referendum. Facebook's share price dropped by $37 billion. CEO Mark Zuckerberg testified before the US Congress and the European Parliament. The UK's ICO fined Facebook £500,000 (the maximum available under pre-GDPR rules) and issued an Enforcement Notice against Cambridge Analytica (which had by then entered administration). The scandal was a catalyst for the global privacy reckoning that GDPR, coming into force two months later, would codify.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallCambridge Analytica was not a traditional breach — no systems were hacked, no vulnerabilities exploited, no malware deployed. The data was collected through Facebook's own API, using permissions that Facebook had granted to app developers. The failure was in Facebook's platform design: allowing apps to harvest data on users' friends without those friends' knowledge or consent, and failing to enforce its own policies on data usage by third-party developers.
Cambridge Analytica was a British company, investigated by the UK's Information Commissioner's Office, and the scandal broke two months before GDPR came into force — making it the defining case study for why stronger data protection regulation was needed. For UK organisations, Cambridge Analytica established that data misuse — even without hacking — can result in regulatory action, reputational destruction, and criminal investigation. The ICO's Elizabeth Denham described the case as demonstrating 'a disturbing disregard for voters' personal privacy.'
Cyber Essentials certification demonstrates baseline security and data protection commitment. Our API penetration testing assesses third-party data access controls. Data loss prevention through SOC in a Box monitors for unauthorised data access and export. And UK Cyber Defence provides the investigative capability when data misuse is suspected.
Our <a href="/penetration-testing/api">API testing</a> assesses third-party data access. <a href="/cyber-essentials">Cyber Essentials</a> certifies baseline controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for data misuse.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call