A watchdog told Facebook that relying on developers to follow information rules in some cases was not good enough two years before a "data grab" on millions of users is said to have taken place.
A 2011 audit by Ireland's Data Protection Commissioner (DPC) said Facebook's security measures were "not considered sufficient" to prevent third party apps from unauthorised use of personal data.
In 2013, Cambridge University researcher Aleksandr Kogan is alleged to have collected data from 50 million users using a quiz app before passing the information to election consultancy Cambridge Analytica (CA) in 2014.
Both Facebook and CA have denied any wrongdoing.
The Sunday Telegraph reported the watchdog's warnings as Facebook printed full-page apologies from founder Mark Zuckerberg in the UK's national newspapers.
The billionaire said the social networking site had already stopped apps like Dr Kogan's from accessing so much information and promised to "do better" for users.
The December 2011 report by the DPC told executives at Facebook's international headquarters in Ireland that the watchdog "(did) not consider that reliance on developer adherence to best practice or stated policy in certain cases is sufficient to ensure security of user data".
Facebook told the regulator that it had "proactive auditing and automated tools" that were designed to not only detect abuse by developers, but to "prevent it in the first place".
However the watchdog said the measures "(were) not considered sufficient by this Office to assure users of the security of their data once they have third party apps enabled".
The company told the Sunday Telegraph that a September 2012 audit by the DPC said the firm had made "good progress", while the company changed its platform entirely in 2014.
Claims that the data acquired by CA may have been used as part of Donald Trump's 2016 presidential campaign sparked an international backlash against Facebook when they emerged last week.
Mr Zuckerberg said he was "really sorry" for the "major breach of trust" and pledged to work to prevent data from being misused in future.