Facebook data at the academic centre linked to the Cambridge Analytica scandal was accessed from web addresses connected to previous cyber attacks and Russian locations, according to the Information Commissioner’s Office (ICO).
Giving evidence to the parliamentary inquiry into fake news, ICO leaders said the watchdog had alerted the authorities but was still investigating precisely what personal information had been accessed and by whom.
Information Commissioner Elizabeth Denham said: “The major concern that I have in this investigation is the very disturbing disregard that many of these organisations across the entire ecosystem have for the personal privacy of UK citizens and voters.”
The data collected by the Cambridge University Psychometric Centre was collected legally for academic purposes, said deputy information commissioner James Dipple-Johstone, but evidence showed it had been accessed by potentially malicious actors.
The psychometric centre pioneered the use of Facebook data in psychometric testing, attracting the attention of Cambridge Analytica in 2014 who hoped to build political advertising models using Facebook data.
Dr Alekander Kogan, who worked at the psychometric centre, set up a separate business to harvest the personal information of almost 90 million Facebook users for Cambridge Analytica after the company approached him in 2014. His colleague, Dr David Stillwell, refused the work due to data protection concerns.
But it was data from Dr Stillwell’s work which Dipple-Johnstone said was accessed from suspicious web addresses.
“Some of those IP addresses resolved to IP addresses in Russia but also to IP addresses of concern through alleged cyber attacks in the past and at least one TOR entry point, which is a device for people to hide their identity online,” he said.
“We don’t know who is behind those addresses but some of them appear on lists of concern to cyber security professionals by virtue of other types of cyber incidents,” he added.
The ICO gave evidence to MPs on the same day as releasing a wide-ranging report into the use and misuse of private information by businesses and political campaigns.
Ms Denham said the scale of the investigation into the misuse of data by businesses and political organisations in recent years is “unprecedented”.
She said: “This investigation is unprecedented for our office.
“It’s unprecedented for any data protection authority worldwide in terms of the type of information we’re examining, the numbers of organisations, the numbers of individuals, the cost of the investigation and the expertise that’s required.
“But what’s at stake are the fundamentals of our democratic processes.”
She also encouraged MPs to look at revising laws around political campaigns in the digital age.
“People have to be able to trust the systems so it’s very important that we get to the bottom of it and that Parliament takes up some of the important recommendations that we’ve made at policy level that includes a statutory code of practice for political campaigning.
“The rules need to be sharpened, they need to be clear, they need to be fair across all organisations involved in political campaigning,” she said.
Damian Collins, chair of the inquiry, said: “We hear loudly the opinion of the Information Commissioner that the time for self-regulation is over and a time of accountability is here where parliament sets the objectives and outcomes for social media companies to follow, rather than the regulator taking on individual complaints.”