Data breaches continue to set records for numbers of separate events, numbers of compromised consumer records, and amounts of money they cost both businesses and the public. The Identity Theft Resource Center tracks those data breach events to help lawmakers, advocates, law enforcement and individuals be aware and stay prepared.

A new data privacy event is making headlines, but it’s not the same kind of breach we’re used to. In a typical data breach, someone intentionally or unintentionally allows sensitive data to fall into the wrong hands. In the Facebook / Cambridge Analytica case, the data was scooped up by someone who had permission to use only specific aspects of the data, but instead, is accused of scraping it beyond their permissions and using it for purposes beyond what they had agreed.

Facebook has suspended the access to its platform for Cambridge Analytica after learning that the UK-based company was using Facebook users’ data to target them with biased content. Investigations are still underway for activities dating back as far as 2014, and at this point, there is still some question about what data was accessed.

Facebook allows users to input a lot of information about themselves in their account profiles, but they’re also allowed to skip or make private certain key personally identifiable information. Your email address is used to log in, but you’re not required to list it, your hometown, your phone number, your place of employment, your religious or political views or other aspects of who you are. Some users opt to assign a credit card to their profile in order to pay for things like games or send payments to other users; others use the “log in with Facebook” feature in other apps, but that’s a convenience that comes at a price.

Some experts are likening this situation to “weaponized data” rather than a data breach. Users willingly gave their information to the company in order to use take advantage of one-step login,  use third-party apps, play games, take quizzes, and other social media features. What they didn’t agree to, and Facebook expressly prohibited, was the data scraping of their profiles to be used to target Facebook users with highly specific ads, essentially manipulating the posts they would see in their feeds. Moreover, this “information dominance,” as it has been called, gave some organizations a leg up on their competition due to the sheer volume of user profiles that had been gathered.

Additionally, one user does not have the authority to grant permission for another user. Just because a user is friends with someone that provided permission, the “friend” of that user doesn’t surrender their right to grant access to their profile. Users beyond those that originally granted permission to the application involved were unintended victims without any knowledge of how their data was also being used.

It’s important that social media users understand not only their privacy settings and the permissions they are granting when they opt into a third-party site or account, but also how their devices are involved. Some apps ask for access to your device’s location, contacts, files and more. A mobile app can easily lead to a site or another app that you didn’t know you were using and, therefore, didn’t know you were granting access to your data. Any connected site that lets you login by giving access to your Facebook account could potentially access your stored profile information. Know where your digital traffic is going—and where your data can end up—before you click.

 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.