Examining Cambridge Analytica Data Misuse Scandal Claims: Timeline of Key Dates, Documents, and Turning Points

Scope and purpose: this timeline examines claims about the Cambridge Analytica data misuse scandal by mapping major dates, primary documents, and investigative turning points. It focuses on what is documented in primary sources (regulatory reports, hearing transcripts, court filings) versus where public accounts diverge or remain unproven. The phrase Cambridge Analytica data misuse scandal is used throughout to keep the scope clear.

Timeline: key dates and turning points in the Cambridge Analytica data misuse scandal

1. 2013–2014 — Data collection via an app called “thisisyourdigitallife”: a Cambridge University researcher, Aleksandr Kogan, deployed a personality‑test app under his company Global Science Research. Reports and later investigative documents show the app gathered profile information from users who installed it and, via Facebook’s APIs at the time, also accessed certain data about those users’ friends. This data collection route is central to subsequent claims about large-scale harvesting.
2. March 17–20, 2018 — Media exposes and Channel 4 undercover footage: The Observer/The Guardian and allied reporting published a series of articles alleging that data harvested by GSR had been passed to Cambridge Analytica and used for political profiling; around the same time Channel 4 released undercover recordings of Cambridge Analytica executives (including then‑CEO Alexander Nix) describing aggressive campaign tactics. These reports triggered wide public and regulatory attention.
3. March 19–23, 2018 — Corporate and regulatory responses: After the media revelations, Cambridge Analytica suspended its CEO Alexander Nix and disputed aspects of the reporting. The UK Information Commissioner’s Office sought access to records and, on March 23, obtained a warrant to search Cambridge Analytica premises as part of an investigation into data analytics used for political purposes. Facebook said it would investigate and later said it had paused an internal audit at the ICO’s request.
4. March–April 2018 — Disputed totals reported publicly: Early news reports cited about 50 million Facebook users’ data as harvested and passed to Cambridge Analytica; Facebook later issued figures suggesting up to 87 million accounts might have been affected, while Cambridge Analytica publicly disputed the larger figures and stated it licensed at most around 30 million records. These differing numbers became a recurring point of dispute.
5. March–May 2018 — Whistleblower disclosures and parliamentary/congressional attention: Christopher Wylie, identified as a key whistleblower, provided accounts to journalists and later to parliamentary and congressional committees about how data was acquired and used. Wylie provided written statements and testified before the UK Parliament’s Digital, Culture, Media and Sport Committee (March/April 2018) and the U.S. Senate Judiciary Committee (May 16, 2018). His testimony raised additional claims (including allegations about uses of the data and possible links to other actors) and supplied a list of documents he said supported his account.
6. May 17, 2018 — Cambridge Analytica and SCL file for bankruptcy / administration: Facing legal and commercial fallout, Cambridge Analytica LLC and SCL USA filed for bankruptcy protection in mid‑May 2018; administrators and legal filings from that process provide records of the company’s contracts and some disputed internal documents.
7. May–November 2018 — UK and US regulatory and parliamentary investigations intensify: The ICO led a broad inquiry into political data analytics, and multiple parliamentary committees in the UK produced inquiries into “fake news” and data use, citing ICO findings. The ICO continued inquiries into whether data had been unlawfully processed or transferred and whether political actors complied with data‑protection rules.
8. July 2018 — ICO penalty against Facebook under the Data Protection Act 1998: The ICO issued a maximum fine available under the old UK law — £500,000 — to Facebook for failures related to the handling of user data connected to this matter (the fine related to transparency and securing data, as detailed in ICO commentary and parliamentary documents). Separately, the ICO indicated investigations into multiple parties in the wider political‑advertising ecosystem continued.
9. 2018–2019 — Civil suits and state regulator actions in the U.S.: Multiple civil lawsuits, class actions, and state attorney general cases were filed or advanced in the U.S., and some state offices (including the District of Columbia’s Attorney General) sued Facebook alleging failures to disclose and prevent misuse of data. These filings are part of the legal record but vary by jurisdiction in their allegations and outcomes.
10. July 2019 — U.S. Federal Trade Commission settlement with Facebook: The FTC announced a settlement requiring Facebook to pay a record civil penalty (approximately $5 billion) and submit to new privacy‑compliance requirements, resolving an investigation that was prompted in part by the Cambridge Analytica revelations. The settlement covered a range of privacy practices and was not limited to a single data transfer incident.
11. 2019–present — Continued litigation, document disclosure, and scholarly analysis: Subsequent court filings, administrative records (including bankruptcy filings and regulatory reports), committee reports, and academic studies have continued to examine what data was collected, how it was used, whether rules were broken, and what influence (if any) the documented practices had on specific electoral outcomes. Different reports reach different emphasis and conclusions; some cite internal Cambridge Analytica documents, others stress limitations in the evidence for causal political effects.

Where the timeline gets disputed

Several specific points in the sequence above have remained disputed in public records and reporting:

• Scale of data harvested: initial reporting commonly cited ~50 million Facebook profiles; Facebook later referenced up to 87 million accounts in some public statements, while Cambridge Analytica asserted lower figures in its public communications. Discrepancies arise from differing definitions (e.g., unique accounts vs. derived profiles) and the evolving disclosures by companies and whistleblowers.
• Who used which datasets for which campaigns: whistleblower testimony and some internal documents describe data‑driven segmenting and targeted messaging, but there is substantial debate — among journalists, academics, and regulators — over how decisive those methods were in changing voter behavior and whether particular datasets were in fact used directly in specific ad purchases or campaign strategies. Some sources claim Cambridge Analytica “ran all” of a campaign’s digital work (reports from undercover footage), while other evidence or denials complicate that claim; official investigations did not uniformly attribute specific electoral outcomes to a single firm’s practices.
• Allegations of transfer to other jurisdictions: whistleblower statements and some ICO investigative notes raised concerns about copies or backups of data being accessible from servers outside the UK, including IP addresses linked to other states; regulators investigated such leads, but public records and legal filings are limited about definitive cross‑border transfers to intelligence services or state actors. Where assertions exist, they often come from single witnesses or fragmentary technical indicators and remain contested.

Evidence score (and what it means)

• Evidence score: 68 / 100
• Score drivers:
• Primary documentation exists (regulatory warrants, committee transcripts, bankruptcy records, investigative articles) supporting that large‑scale Facebook data was collected by GSR and that Cambridge Analytica received some of those data or derived profiles.
• Multiple official investigative actions (ICO warrant and inquiries; U.S. congressional hearings; subsequent FTC and civil enforcement actions) provide corroborating institutional records.
• Key causal claims (for example, specific votes or electoral outcomes being decisively changed by particular Cambridge Analytica datasets) are not uniformly documented in primary sources and rely on interpretation of internal materials and expert inference.
• Numbers and some factual details remain inconsistent across authoritative statements (e.g., 50M vs 87M vs CA’s 30M), reducing clarity on the precise scale of impact.
• Some allegations (e.g., transfer of datasets to particular foreign intelligence services, or specific unlawful coordination in all campaigns named) are supported mainly by single‑party testimony or circumstantial indicators and therefore score lower on independent documentation.

Evidence score is not probability:
The score reflects how strong the documentation is, not how likely the claim is to be true.

This article is for informational and analytical purposes and does not constitute legal, medical, investment, or purchasing advice.

FAQ

What is the Cambridge Analytica data misuse scandal?

The term Cambridge Analytica data misuse scandal refers to reporting and allegations that data gathered via a personality‑test app was passed to Cambridge Analytica and used in political profiling and targeting. Primary investigative reports, regulatory warrants, whistleblower testimony, bankruptcy filings, and enforcement actions document aspects of data collection and regulatory response; however, the scope, exact numbers, and the causal impact on election outcomes are disputed in the public record.

How many Facebook users were affected?

Published figures vary: early reporting commonly used ~50 million; Facebook later reported a possible exposure of up to ~87 million users in some statements; Cambridge Analytica in public statements disputed larger figures, citing lower counts. Differences stem from evolving company disclosures, definitions of “affected,” and independent verification limits. No single authoritative public ledger reconciles all figures to full agreement.

Did regulators find wrongdoing?

Regulators took multiple actions: the ICO executed a warrant and conducted major inquiries in the UK; it later levied enforcement and commentary about failures in transparency and controls. In the U.S., the FTC pursued enforcement against Facebook that resulted in a substantial settlement addressing broader privacy failures (including those revealed by the Cambridge Analytica reporting). Some criminal or civil allegations against specific actors progressed in varied forms, while other claimed links or harms remain the subject of ongoing legal and scholarly debate. citeturn1search1turn1search11turn4search0

What documents are most important for researchers?

Key primary documents include: investigative articles that released contracts and invoices (e.g., Guardian reporting), whistleblower written statements and hearing transcripts (Christopher Wylie’s committee statements), ICO warrants and enforcement material, bankruptcy filings from Cambridge Analytica and SCL, and regulatory enforcement releases. Researchers should consult those primary materials directly and note where secondary summaries diverge.

Where can I read Christopher Wylie’s official testimony?

Wylie’s written statement to the U.S. Senate Judiciary Committee (May 16, 2018) and his UK committee appearances are available in committee records and archival repositories; these are primary sources frequently cited in later reports and analyses. Review committee portals and archival releases for the full texts.

Omar Hassan

History-focused writer: declassified documents, real scandals, and what counts as evidence.