Facebook (FB) has some explaining to do.

On late Friday, The New York Times published a report sparking the social network’s latest scandal. In 2015, Cambridge Analytica, the data analytics firm that worked for Donald Trump’s presidential campaign, harvested the Facebook login data of 270,000 people to also access data and information about many of their friends. It’s a violation of Facebook’s terms of service that ultimately affected roughly 50 million users and their data, which could have included information about their locations and interests, as well as photos, status updates and check-ins. To make matters worse, the social network is also investigating ties between one of its current researchers, who previously worked at Cambridge Analytica.

The fallout from this latest scandal has been swift and severe. Two former federal officials who drafted the consent decree governing how Facebook handles user privacy say the social network may have violated that decree, which could result in millions of dollars of fines against Facebook.

But what has been most disappointing is how Facebook handled the situation. When the news broke on Friday, Facebook approached it in the same diffuse way it handled revelations that Russia had used the platform to help sway the presidential election: denied it. The social network contended this was not, in fact, a “data breach,” and that its platform performed precisely as Facebook had always intended. Instead it was an outside party — Cambridge Analytica, in this case — that violated the company’s terms of service. Translation: Facebook’s security remained intact during this incident, and none of this was Facebook’s fault.

While Facebook may not have been “hacked” in the technical sense, there’s no denying that the personal data of some 50 million people was harvested unknowingly and unwillingly for means other than what those people intended, indicating there was some sort of breach, if not of the Facebook platform, then surely of those users’ privacy.

“Protecting people’s information is at the heart of everything we do, and we require the same from people who operate apps on Facebook,” Facebook VP & Deputy General Counsel said in a statement. “If these reports are true, it’s a serious abuse of our rules.”

Facebook’s biggest failure

Equally as egregious is the argument that Facebook is somehow not at fault here. While the social network had already updated its terms of service since 2015 so as not to enable developers to do what Cambridge Analytica did, Facebook failed to disclose the incident until it was reported two years or so later, which has many wondering. Would Facebook have suspended the whistleblower’s Facebook account if the report had not surfaced? Would the social network have disclosed the incident at all? Doubtful.