Cambridge Analytica, a data analysis firm that worked on President Trump's 2016 campaign, and its related company, Strategic Communications Laboratories, pilfered data on 50 million Facebook users and secretly kept it, according to reports in The New York Times, alongside The Guardian and The Observer. The apparent misuse of Facebook data—and the social media giant's failure to police it—leave both companies with plenty still to answer for.

Facebook has suspended both Cambridge and SCL while it investigates whether both companies retained Facebook user data that had been provided by third-party researcher Aleksandr Kogan of the company Global Science Research, a violation of Facebook's terms. The suspensions were announced just hours before The New York Times and The Guardian published stories Saturday morning describing how Cambridge Analytica harvested data on 50 million US Facebook users, a number far larger than the 270,000 accounts Facebook initially cited. Facebook says it knew about the breach, but had received legally binding guarantees from the company that all of the data was deleted.

"We are moving aggressively to determine the accuracy of these claims. If true, this is another unacceptable violation of trust and the commitments they made," Paul Grewal, Facebook's vice president and general counsel, wrote in a blog post Friday night. Facebook is also suspending Kogan, as well as Christopher Wylie of Eunoia Technologies, the whistleblower who led to stories in The Guardian and The New York Times.

In a statement, a spokesperson for SCL denied the claims. "Cambridge Analytica and SCL Elections do not use or hold Facebook data," the statement read. (Cambridge is an independent company in the United States that was spun out of SCL.)

According to one source, a trove of Facebook users' personal data was visible on Cambridge's internal databases in 2017.

And yet, following Facebook's announcement Friday night, sources close to Cambridge confirmed to WIRED that this data was still accessible as recently as last year. According to one source, a trove of Facebook users' personal data was visible on Cambridge's internal databases in 2017, despite SCL's current denial and past promises to both Cambridge employees and Facebook that it had all been deleted in 2015. The data included Facebook IDs, and responses to personality surveys that had been administered by Kogan in 2015. Another source close to the company recalled seeing a database called "Kogan-import" in Cambridge's system, which was only visible to a small number of staffers in data science, engineering, and IT. The source says the database was tightly controlled in terms of who could edit or delete it.

Asked to confirm whether this database existed, an SCL spokesperson said, "We did a system wide internal audit to verify that all GSR data had been removed before we signed an undertaking to Facebook."

The data in question was gathered using an app called thisisyourdigitallife, created by Kogan, that offered Facebook users personality quizzes. Those who downloaded the app voluntarily turned over reams of personal data about what they like, where they live, and in some cases, depending on individual privacy settings, who their friends were.

Though Facebook says just 270,000 people downloaded the app, a loophole at the time apparently allowed Kogan to collect vastly more information. Until 2014, apps could also collect information on every users' entire friend network. Facebook shut down that capability for app developers in mid-2014, but offered some apps that were already up and running a small grace period before cutting them off. That timing roughly lines up with Kogan's research. Of the 50 million accounts Kogan had data on, the New York Times and Guardian reports say, 30 million had complete enough profiles that Cambridge could create psychographic profiles of them. Different than demographic profiles, these describe people based on their personality types.

Kogan passed the survey results on to SCL and Cambridge. Facebook learned about this violation in 2015, removed the app, and requested that Cambridge Analytica, Kogan, and Wylie certify that they had destroyed the information. In a statement, an SCL spokesperson said the company deleted the data as soon as they found out it violated Facebook's policies.