Facebook could face a potential €1.6bn fine under GDPR rules if found guilty of wrongdoing.
At least 50m accounts were breached, with a further 40m potentially affected. The breach is the largest in Facebook’s 14-year history and the company is still trying to determine whether the attacker misused any accounts or stole private information.
Earlier this week, we reported that the DPC was likely to investigate the breach because of the presence of Facebook’s 2,500-strong operations in Ireland, including a newly built data centre campus.
The case could be one of the first major tests of the EU’s General Data Protection Regulation (GDPR) legislation which came into force in Europe in May. Under GDPR rules, companies could be hit with fines of up to €20m or 4pc of global turnover, whichever is higher. Not only that, but affected EU users are empowered under the rules to take litigation against companies if they have been affected.
In a statement issued last night (3 October), the DPC said that it had commenced an investigation under Section 110 of the Data Protection Act 2018 into the Facebook data breach, for which notification was received by the DPC on Friday (28 September).
“In particular, the investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it processes.
“Facebook has informed the DPC that their internal investigation is continuing and that the company continues to take remedial actions to mitigate the potential risk to users,” the DPC said.
Background to the attack
The attack on Facebook appears to be at the hands of hackers with sophisticated skills who were able to discover vulnerabilities and bugs in the social network’s code, and exploit them.
For Facebook, it was the bitter icing on the cake of a year of data debacles, most notably the Cambridge Analytica scandal whereby 87m users’ accounts were tapped by an app created on behalf of the eponymous UK political consultancy to ostensibly shape sentiment around the UK’s Brexit referendum and the US presidential election of 2016.
On Friday, Facebook product management VP Guy Rosen said that the breach was discovered on Tuesday (25 September) and that hackers exploited a bug in the ‘View As’ function that enabled them to gain access tokens or digital keys to users’ accounts and potentially steal others.
The company responded by resetting the access tokens of 50m users and taking the precaution of resetting tokens of 40m other accounts that may have been affected.
It will be interesting to see what kind of results the DPC’s investigation brings up. Was Facebook blameless for the glitch? Did it act responsibly by disclosing the breach and taking prompt action? Could the situation have been prevented?
For Facebook, which generates around $40bn worth of turnover every year, the spectre of a $1.6bn fine (4pc of turnover) would hardly be palatable right now.