There are important questions here, but for me, there are a couple of less obvious questions that need to be answered just as urgently.
After the ever-excellent Channel 4 News showed its undercover filming of CA's CEO promising all kinds of dirty tricks to help a pretend candidate win an election, the station's reporter was standing outside CA's office with a very revealing observation. Facebook was already inside.
We then cut to the Information Commissioner, Elizabeth Denham, revealing that the ICO would apply today for a warrant to go in and search CA's London offices. Apparently, a request to go in and take a look around had not been agreed to. What a surprise.
Then the obvious question on everyone's mind was asked -- so Facebook gets to go in and have a look around while you're still looking to get a writ?
That's the inescapable truth of this whole debacle. Money talks. We cannot be entirely sure what Facebook was doing inside the office. Collecting evidence that could be used against CA? By Facebook? Or for a likely ICO investigation? Or perhaps seeing how linked the social media platform is to some very shabby goings on. Perhaps even to find how CA got hold of millions of profiles and whether it really did delete the information -- as it insists it did -- several years ago.
Promises made by a CEO who claims to be able to get spies to look in to your rivals to dig up dirt as well as set up a honey-trap to see them filmed with a prostitute or taking bribes are probably not the kind of assurances one can take to the bank.
To her credit, Elizabeth Denham did point out that this was a wholly unacceptable situation, and then, once GDPR becomes law, Facebook would have been forced to tell the ICO they had suffered a data breach. At the moment it is just best practice, rather than the law.
That is the position in the UK. My understanding was that the American companies had to reveal to their regulator that they have been breached. While they are still allowed time to delay an admission, while it is being investigated, I'm pretty sure they still have to reveal a problem, rather than wait for it to be surprise headline news some years later.
Regardless, the situation remains that Facebook has the door opened for it -- the ICO has to go to the courts. The regulator has to allow the company it wants to investigate, and another company of significant interest in a scandal, to have a day or so behind closed doors doing whatever they are doing before it stands a chance of knocking on the door.
That's the real question here. How can this be?
Data isn't just about privacy any more. This is about potentially illegal access to personal data that is being used in an attempt to swing elections. It has become a lot more serious than a case of receiving an offer long after you unsubscribed from an email list.
The ICO said the GDPR would help, and it will. But what about when a company doesn't tell you it has had a hack? What about when it is possibly colluding with another company to limit any damage while the good guys are hailing a cab to attend court?
This exposé asks many questions. For me, the latter queries are those that will outlive this story and show how our regulators are relatively toothless, even when prodded into action by investigative reporters.