Data analytics firm Cambridge Analytica harvested private information from more than 50 million Facebook users in developing techniques to support President Donald Trump's 2016 election campaign, the New York Times and London's Observer reported on Saturday.
The Massachusetts attorney general said her office was launching an investigation after the news reports.
"Massachusetts residents deserve answers immediately from Facebook and Cambridge Analytica," Maura Healey said on Twitter in a post that linked to a Times report.
The United Kingdom's Information Commission also announced on Saturday they are conducting an investigation of Cambridge Analytica, which also had clients in the country.
"Any criminal and civil enforcement actions arising from the investigation will be pursued vigorously," said Elizabeth Denham, Information Commissioner.
Facebook on Friday said it was suspending Cambridge Analytica after finding data privacy policies had been violated.
The move means Cambridge Analytica and its parent group Strategic Communication Laboratories (SCL) cannot buy ads or administer pages belonging to clients.
The newspapers, which cited former Cambridge Analytica employees, associates and documents, said the data breach was one of the largest in the history of Facebook Inc.
The Observer said Cambridge Analytica used the data, taken without authorisation in early 2014, to build a software programme to predict and influence choices at the ballot box.
It quoted whistleblower Christopher Wylie, who helped set up Cambridge Analytica and worked with an academic at Cambridge University to obtain the data, as saying the system could profile individual voters to target them with personalized political advertisements.
The more than 50 million profiles represented about a third of active North American Facebook users, and nearly a quarter of potential US voters, at the time, the Observer said.
"We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis that the entire company was built on," Wylie told the Observer.
The New York Times said interviews with a half-dozen former Cambridge Analytica employees and contractors, and a review of the firm's emails and documents, revealed it not only relied on the private Facebook data but still possesses most or all of it.
The Observer said the data was collected through an app called thisisyourdigitallife, built by academic Aleksandr Kogan, separately from his work at Cambridge University.
Through Kogan's company Global Science Research (GSR), in collaboration with Cambridge Analytica, hundreds of thousands of users were paid to take a personality test and agreed to have their data collected for academic use, the Observer said.
However, the app also collected the information of the test-takers' Facebook friends, leading to the accumulation of a data pool tens of millions-strong, the Observer said. It said Facebook's "platform policy" allowed only collection of friends data to improve user experience in the app and barred it from being sold on or used for advertising.
Facebook said it acted against Cambridge Analytica and SCL after receiving reports they did not delete information about Facebook users that had been inappropriately shared. bit.ly/2FZU1Ir
A Cambridge Analytica spokesman said GSR "was contractually committed by us to only obtain data in accordance with the UK Data Protection Act and to seek the informed consent of each respondent."
"When it subsequently became clear that the data had not been obtained by GSR in line with Facebook's terms of service, Cambridge Analytica deleted all data received from GSR," he said.
"We worked with Facebook over this period to ensure that they were satisfied that we had not knowingly breached any of Facebook's terms of service and also provided a signed statement to confirm that all Facebook data and their derivatives had been deleted," the spokesman said.
He said "no data from GSR was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign."
$6.2 MILLION FROM TRUMP CAMPAIGN
Trump's campaign hired Cambridge Analytica in June 2016 and paid it more than $6.2 million, according to Federal Election Commission records.
A Trump campaign official said the campaign used the Republican National Committee for its voter data in 2016, not Cambridge Analytica.
"Any claims that voter data were used from another source to support the victory in 2016 are false," said the official, who spoke on condition of anonymity.
In past interviews with Reuters, Brad Parscale, who ran Trump's digital ad operation in 2016 and is his 2020 re-election campaign manager, has said Cambridge Analytica played a minor role as a contractor in the 2016 campaign.
He said the campaign used voter data from a Republican-affiliated organisation rather than Cambridge Analytica. He declined to comment on Friday.
On its website, Cambridge Analytica says it "provided the Donald J. Trump for President campaign with the expertise and insights that helped win the White House."
Facebook did not mention the Trump campaign or any other campaigns in its statement.
"We will take legal action if necessary to hold them responsible and accountable for any unlawful behaviour," Facebook said, adding that it was continuing to investigate the claims.
In a Twitter post, Facebook Chief Security Officer Alex Stamos called the news reports "important and powerful" but said it was "incorrect to call this a 'breach' under any reasonable definition of the term."
"We can condemn this behaviour while being accurate in our description of it," he said.
Acknowledging an episode as a data breach can carry legal significance, as companies face a patchwork of state and federal requirements to notify customers and regulators when they detect that information has been compromised.
Senator Mark Warner, the top Democrat on the US Senate Intelligence Committee, said the case was "more evidence that the online political advertising market is essentially the Wild West" and showed the need for Congress to pass legislation to bring transparency and accountability to online political advertisements.
A source close to the congressional investigations into Russian meddling in the 2016 campaign said the Trump campaign likely will need to address whether it was aware of Cambridge Analytica's methods for obtaining its data or if the data was leveraged during the election.
Cambridge Analytica says it uses "behavioural microtargeting," or combining analysis of people's personalities with demographics, to predict and influence mass behaviour. It says it has data on 220 million Americans, two-thirds of the US population.
It has worked on other campaigns in the United States and other countries, and is funded by Robert Mercer, a prominent supporter of politically conservative groups.
Facebook in its statement described a rocky relationship with Cambridge Analytica, Kogan and Wylie going back to 2015.
That year, Facebook said, it learned that Kogan lied to the company and violated its policies by sharing data he acquired with a so-called "research app" that used Facebook's login system.
Kogan was not immediately available for comment.
The thisisyourdigitallife app was downloaded by about 270,000 people. Facebook said Kogan gained access to profile and other information "in a legitimate way" but "did not subsequently abide by our rules" when he passed the data to SCL/Cambridge Analytica and Wylie.
Facebook said it cut ties to Kogan's app when it learned of the violation, and asked for certification from Kogan and all parties he had given data to that the information had been destroyed.
Although all certified they had destroyed the data, Facebook said it received reports in the past several days that "not all data was deleted."