Ireland’s data regulator to probe Facebook data attack under GDPR rules

2 Oct 2018

© Darren 415/

Hack of between 50m and 90m Facebook accounts could be first real test of GDPR in Ireland.

Ireland’s Data Protection Commission (DPC) is preparing to launch a formal investigation into the major data breach at Facebook that saw hackers gain access to at least 50m users’ accounts.

On Friday (28 September), Facebook disclosed that 50m user accounts had been breached by an access token harvesting attack. It warned that another 40m may also have been compromised and, in all, 90m of its 2.2bn users will have to log in or reset their credentials.

The breach is the largest in Facebook’s 14-year history and the company is still trying to determine whether the attacker misused any accounts or stole private information.

Now, it has emerged that the Irish data regulator is preparing to investigate the breach in what could be the first major test of the General Data Protection Regulation (GDPR) legislation that came into force across the EU in May.

According to the Financial Times, less than 10pc of users affected were in the EU.

GDPR could mean big fines following data breaches

Under GDPR rules, companies could be hit with fines of up to €20m or 4pc of global turnover, whichever is higher. Not only that, but affected EU users are empowered under the rules to take litigation against companies if they have been affected.

Facebook is understood to be one of a large number of US tech companies that have chosen the Irish DPC as a one-stop shop for data oversight under GDPR.

As well as being a test for GDPR, it will be a test for the DPC headed by Data Protection Commissioner Helen Dixon.

It is understood that before a formal investigation will be launched, the DPC will be gathering information to inform the scope of the inquiry and under which provisions of the Data Protection Act 2018 it will conduct the investigation.

On Friday, Facebook’s vice-president of product management, Guy Rosen, said that the breach was discovered earlier in the week on Tuesday (25 September). He said that hackers exploited issues in Facebook’s code, in particular the ‘View As’ function, to get an access token and this allowed them to steal more tokens from other accounts.

He said the company responded by resetting the access tokens of 50m accounts that Facebook knows for sure have been affected as well as taking the precautionary step of resetting access tokens for another 40m accounts. As a result, 90m users have had to log back into Facebook or any apps that use the Facebook Login feature. As a third precaution, Facebook has turned off the View As feature as it conducts its own thorough investigation into the matter.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years