Last Friday, Facebook announced that an unknown hacker or a group of hackers gained access to access tokens of as many as 50 million accounts by exploiting three vulnerabilities in the platform.
Using the stolen access tokens, the hackers could, Facebook said, access Facebook accounts of the affected users and could also access services that Facebook users logged in to using Facebook’s Single Sign-on facility. To minimise the damage hackers could cause in the coming days, Facebook reset access tokens of up to 90 million users immediately.
Irish Data Protection Commission looking into Facebook breach
Soon after Facebook disclosed the massive breach to all users, the Irish Data Protection Commission expressed concern that the breach was discovered only last week and that Facebook was “unable to clarify the nature of the breach & risk to users”.
A couple of days later, the Commission requested Facebook to share with it “further urgent details of the security breach” as well as information about the number of EU users who were affected by the incident. It said that these details were necessary for it to “properly assess the nature of the breach and risk to users”.
Soon after the Data Protection Commission issued the reminder, Facebook revealed that out of the 50 million users who were affected by the breach of access tokens, less than 10 percent were EU users and that it would provide a further breakdown in terms of more detailed numbers “soon”.
Following Facebook’s disclosure, Ilia Kolochenko, CEO and founder of High-Tech Bridge, said that from a legal point of view, the incident could become a notorious milestone of GDPR enforcement by the EU regulators.
“A multi-million fine is not that impossible under the integrity of circumstances. As for the US, a class action and individual lawsuits can cause a lot of trouble for Facebook, potentially with even higher penalties or settlements, exacerbated by legal costs and a jeopardized public image,” he said.
According to The Wall Street Journal, if the European Union privacy watchdog determines that Facebook did not do enough to ensure the privacy and digital security of millions of users in the EU region, Facebook could face a fine of up to $1.63 billion (£1.26 billion) under the new GDPR regulations.
Lack of compliance to GDPR rules or a violation of the 72-hour breach notification window can attract a maximum fine of either 20 million euros or 4% of a firm’s global annual turnover, whichever is higher. Considering Facebook’s global presence and its dominance in the social media world, the fine imposed on it could easily exceed a billion euros.
Facebook could attract an exemplary fine
In July this year, the UK’s Information Commissioner’s Office fined Facebook an exemplary £500,000 under the 1998 Data Protection Act for failing to prevent data analytics firms (such as Cambridge Analytica) from harvesting personal details of millions of users.
Commenting on the fine issued by the ICO to Facebook, Christopher Littlejohns, EMEA manager at Synopsys, said that the fine imposed on Facebook was a salutary lesson to companies operating within the European region and that a fine of such magnitude could top hundreds of millions under the newly-implemented GDPR.
“Such fines are potentially so large they can significantly affect operating margin, and ultimately share prices of large companies. Personal data collectors and aggregators are particularly at risk to these issues, due to the scale and value of the data they collect; and consequently should be extremely vigilant and diligent in their custodianship of such data.
“Companies that do not undertake effective risk analysis, data privacy management, ongoing diligence, and open communication with users and authorities when breaches occur will potentially face severe business impediments at best, and existential threats at worst,” he added.