New ways in which Facebook might have played a role in 2016 election meddling continue to emerge. Yesterday (March 16), the company announced the suspension of data analytics company Strategic Communication Laboratories (SCL) and its prominent parent political firm Cambridge Analytica—three years after it illegally used the data of up to 50 million users.

According to a note shared by the company, in 2015 Facebook found out that, despite telling its users otherwise, Cambridge professor Aleksandr Kogan passed user data collected through personality testing app “thisisyourdigitallife” (which touted itself as a personality test used by psychologists) to the political firm Cambridge Analytica—a company owned by Robert Mercer and led by Steve Bannon at the time—and to Christopher Wylie, from a digital service company called Eunoia Technologies.

The 270,000 people who downloaded the app allowed it access not only to their data, but some of their friends’—depending on their settings. However, they did not authorize that their data be shared with other companies, a behavior that is in violation of Facebook platform policies. The revelation comes from reporting by The Observer.

According to Wylie, a whistleblower who detailed the illegal data use, saying the information was used in 2014 to profile individual US voters who were then served Donald Trump ads during the election. “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons,” Wylie told The Observer, “That was the basis that the entire company was built on.”

After finding out that the breach had happened, Facebook deleted the app, then requested a certification from all involved that the obtained data had been destroyed—but Facebook never followed up on it. “They waited two years and did absolutely nothing to check that the data was deleted. All they asked me to do was tick a box on a form and post it back,” Wylie said.

Only last month, Cambridge Analytica’s CEO and Facebook both told the British parliament the political firm did not harvest any of the social media user data to target election ads during Brexit.

The firm continues to deny the allegations:

Facebook has repeatedly denied that data breaches as the one detailed occurred—and even after finding out, years after the fact, that it had, the company defends its best practices. ”We are committed to vigorously enforcing our policies to protect people’s information,” Facebook states in the same note that admits their “vigorous enforcement” consisted in taking the word of someone who had already broken their regulation to ensure said information was protected.

Further, the note tries to put the responsibility of controlling such information on the user, but highlighting a the “ways we give people the tools to control their experience.”