Turkey’s data protection authority KVKK has issued a fine of 1.6 million Turkish lira (£228,000) to Facebook for failing to prevent the exposure of personal data of up to 280,959 Turkish users that included names, dates of birth, and search history.
According to the Personal Data Protection Authority of Turkey, personal data exposed due to the lack of oversight by Facebook included basic information such as names, phone numbers, and email addresses of 133,510 Facebook users and a lot of additional information of a further 143,974 users.
These details included usernames, gender, preferred language, relationship status, dates of birth, device information, job history, training history, search history on Facebook, and details of 500 major accounts followed by each user.
The exposure of personal data of almost 281,000 Facebook users in Turkey took place between 14 and 27 September last year before Facebook introduced a patch to fix a flaw that allowed Facebook users to view detailed profile information of others.
KVKK said that the data breach occurred due to “a vulnerability caused by the interaction of the Facebook system, the Birthday Celebrator and the Video Uploader, three different features of the Facebook system”.
“Incoming screen gives the user the option of sending birthday message to friends whose birthday is visible, If the option to send a birthday message is used with the Video Uploader, the video uploader generates an access token for the See Through Eye mode.
“This access token belongs to the friend of the user to whom the birthday message will be sent,
As a result of this access token produced, it can be used to obtain the profile information of the other party,” reads a translated version of KVKK’s ruling.
Facebook acted too late to fix technical flaws that led to data exposure
KVKK also noted that Facebook did not take appropriate action as per law to patch the vulnerability even though relevant weaknesses were observed in the platform for approximately 14 months from July 21, 2017 to September 27, 2018.
Due to its failure to patch vulnerabilities that eventually led to the exposure of profile information of hundreds of thousands of Turkish citizens, Facebook has been fined 1.15 million lira (£164,072) by NVKK. The watchdog also issued an additional fine of 450,000 lira (£64,202) to Facebook for failing to report the data breach incident to the authority within mandated timelines.
“Facebook is facing a number of fines recently for the misuse of peoples’ data, and we are likely to see more coming to light in the future. For a long time Facebook appeared to be immune to privacy issues and regulation, however as people become more concerned and aware about how their personal data is held and used online, the social media platform is facing much more scrutiny.
“The good news is that Facebook does seem to be taking these concerns on board and are working to make security and privacy changes across the platform to help protect its users,” said Robert Ramsden-Board, VP of EMEA at Securonix.
A few days ago, Reuters reported that Facebook suspended tens of thousands of third-party apps associated with about 400 developers on its platform as a result of a review of whether app developers were following stringent data security and privacy-oriented guidelines. The review was initiated in March 2018 following the Cambridge Analytica scandal that compromised personal details of up to 87 million people, 70 million of whom were from the United States.