EU regulator “concerned” over data breach
In another case demonstrating the importance of data security, Facebook has come under the watchful gaze of Ireland’s Data Protection Commission, following the recent breach that affected over 50 million accounts.
Because Facebook’s European operations are based in Ireland, the Data Protection Commission (DPC) is Europe’s key privacy regulator for the company, and the DPC initially put out a statement on Twitter noting its concerns about the scale of the breach. It read, “The DPC is concerned that this breach was discovered on Tuesday & affects millions of users. At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters”.
Since then, the DPC has tweeted that it has requested details from Facebook on the breach, and it has been assured that the company will be able to provide further details soon. It has also clarified that less than 10% of the affected accounts were from within the EU.
The reason all of this matters so much to the Commission falls down to those four familiar letters: GDPR. With rules surrounding that now firmly in place, Facebook would become (if it transpired that it broke GDPR) the highest-profile, largest-scale example of an organisation failing to adhere to the rules. With the potential fine for failing to safeguard users’ data standing at 20m euros, or 4% of global annual revenue (whichever is higher), Facebook could in theory be fined a possible reported £1.25bn.
Yes, you read that correctly: £1.25bn.
The law also requires companies to inform regulators within 72 hours of the breach occurring, which The Wall Street Journal reports did take place here. This would bring some financial relief, as failure to inform within that timeframe would result in a fine of 2% of worldwide revenue.
It’s not just regulators seeking financial compensation either. Facebook is already on the end of a class action lawsuit brought by a couple of users in California. The legal action claims that users’ personal information was “exposed due to a flaw in Facebook’s code that allowed hackers and other nefarious users to take over user accounts and siphon off Personal Information for unsavory and illegal purposes”. In Canada also, another class action suit has been proposed by a law firm stating that Facebook has a duty to ensure that its user data is protected.
With such a hefty potential financial cost riding on this, it’s important to look back at what exactly happened for this breach to have occurred in the first place. Vulnerabilities in Facebook’s code (three bugs, to be precise) allowed hackers to gain access to users’ accounts. At the time the hack was announced, Facebook boss Mark Zuckerberg said that there was no evidence that any accounts had actually been compromised but that the hackers were likely looking for personal information such as names, addresses etc. that can be gleaned from profile pages. It was also claimed that no financial data was taken, but that apps which used Facebook logins for access - such as Instagram or Spotify - could have been affected also.
Facebook automatically logged out affected users, although passwords were not themselves affected, because the information the hackers got hold of - access tokens - doesn’t store them.
For now, Mark Zuckerberg will no doubt be hoping that Facebook doesn’t gain the unwanted title of the biggest GDPR-related fine to date. Indeed, considering the number of EU accounts affected is a relatively small proportion of the wider hack, a £1bn-plus fine could be seen by some as excessive, but rules, as they say, are rules.
Don't forget to check out the rest of our site while you're here. TMB works with businesses of all sizes, providing IT support, software licensing and more.