Skip to content
Cyber Breaches
Search
Social engineeringResolved

Facebook–Cambridge Analytica data scandal

Political consultancy Cambridge Analytica improperly obtained the personal data of up to 87 million Facebook users via a personality-quiz app, exploiting Facebook's permissive third-party API to harvest friend networks and build voter-targeting profiles. The scandal triggered a record $5 billion FTC penalty.

Victim
Facebook
Loss
$5.00B
records
87.0M
users
87.0M
SectorTechnology
CountryUnited StatesUnited Kingdom
Threat actorCambridge Analytica (SCL Group)
Named attackersAleksandr Kogan (Global Science Research)Cambridge Analytica

On 17 March 2018, The Guardian and The New York Times published the account of whistleblower Christopher Wylie, revealing that the political consultancy Cambridge Analytica had obtained the personal data of tens of millions of Facebook users without their consent and used it to build psychographic voter-targeting models. The disclosure became the defining data-privacy scandal of the social-media era and led to a record $5 billion penalty against Facebook.

What happened

The data was not extracted through a hack. It was harvested through Facebook's own platform design. Around 2013–2014, Cambridge University researcher Aleksandr Kogan built a personality-quiz app called "thisisyourdigitallife" and distributed it via Facebook. Roughly 270,000 people installed the app and consented to share their data.

The critical flaw lay in Facebook's Graph API, which at the time allowed an app not only to read the installing user's data but also data about all of that user's friends — without the friends' knowledge or consent. Through this friend-network multiplier, Kogan's app collected information on up to 87 million people, the overwhelming majority of whom never installed anything.

Kogan's company, Global Science Research, passed the dataset to Cambridge Analytica (a subsidiary of SCL Group), which used it to develop psychographic profiles intended to micro-target voters during the 2016 U.S. presidential primaries and general election, as well as other political campaigns.

Impact

  • Up to 87 million Facebook users had their data harvested, including names, locations, email addresses, page "likes," and inferred psychological traits.
  • Facebook's market value fell by roughly $100 billion in the weeks after the story broke amid a #DeleteFacebook movement.
  • The U.S. Federal Trade Commission imposed a $5 billion penalty in July 2019 — the largest the agency had ever levied for a privacy violation — along with a 20-year order overhauling Facebook's privacy governance and creating an independent board-level privacy committee.
  • The U.K. Information Commissioner's Office fined Facebook £500,000 (the maximum under pre-GDPR law).
  • Cambridge Analytica and SCL Group filed for insolvency in May 2018.

Why it matters

The scandal reframed personal data as a systemic platform-governance problem rather than a series of isolated breaches. It exposed how permissive third-party API design — granting apps access to non-consenting users' data through friend graphs — could be weaponized at population scale. The fallout accelerated global privacy regulation (the EU's GDPR took effect two months later), prompted Facebook to lock down its developer APIs, and established the precedent that platforms can be held financially accountable for how third parties exploit their data-sharing architecture.

It remains the canonical case study in consent, secondary data use, and political micro-targeting, cited in virtually every modern data-protection curriculum.

Financial impact

Reported costs in USD

Total reported loss
5.00B
USD · $5,000,000,000
  • Fines & settlements$5.00B

Timeline

  1. Researcher Aleksandr Kogan builds the 'thisisyourdigitallife' personality-quiz app, which collects data not only from the ~270,000 people who install it but from their entire friend networks via Facebook's Graph API.

  2. Kogan's company Global Science Research passes the harvested dataset to Cambridge Analytica / SCL Group, which uses it to build psychographic voter-targeting models.

  3. The Guardian first reports that Cambridge Analytica used Facebook-derived data for Ted Cruz's presidential primary campaign. Facebook says it will require the data be deleted.

  4. The Guardian and The New York Times publish whistleblower Christopher Wylie's account, revealing the scale of the harvesting and that the data was never fully deleted.

  5. Mark Zuckerberg publicly acknowledges the 'breach of trust' and announces audits and API restrictions.

  6. Facebook revises its estimate of affected users upward to as many as 87 million.

  7. Zuckerberg testifies before the U.S. Congress over two days.

  8. The FTC announces a $5 billion penalty and sweeping 20-year privacy order against Facebook — the largest privacy fine in U.S. history at the time.

Sources

  1. ftc.govhttps://www.ftc.gov/news-events/news/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions-facebook
  2. theguardian.comhttps://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election
  3. washingtonpost.comhttps://www.washingtonpost.com/business/2021/04/03/facebook-data-leak-insider/
  4. npr.orghttps://www.npr.org/2018/12/04/673144745/100-million-quora-users-affected-by-malicious-data-breach

Related incidents