Ireland’s data regulator has opened an inquiry into Facebook’s failure to securely protect millions of its users’ passwords. But does a fine await the social media giant?
Facebook confirmed last month that hundreds of millions of users had their passwords stored internally in plain text format. They were visible to up to 20,000 of its employees since as far back as 2012, according to cybersecurity researcher Brian Krebs, who first reported the security error.
The tech giant said that there is no evidence that readable passwords were used improperly by its staff and that it had resolved the glitch. It later added that it had also discovered Instagram passwords were stored in a readable format.
Ireland’s Data Protection Commissioner (DPC) will now look to see whether the Facebook password breach violated European data laws, known as the General Data Protection Regulation (GDPR).
“The Data Protection Commission was notified by Facebook that it had discovered that hundreds of millions of user passwords, relating to users of Facebook, Facebook Lite and Instagram, were stored by Facebook in plain text format in its internal servers,” the DPC said in a statement.
“We have this week commenced a statutory inquiry in relation to this issue to determine whether Facebook has complied with its obligations under relevant provisions of the GDPR.”
To GDPR, or not to GDPR?
The DPC, Facebook’s lead regulator in the European Union (EU), will investigate whether Facebook has taken “appropriate security measures”, says Robert Wassall, a leading data protection lawyer and head of legal services at cybersecurity firm ThinkMarble.
The statutory inquiry consists of two distinct processes: an investigatory process and a decision-making process, Wassall told Verdict.
The DPC may “exercise a range of investigatory powers” to gather evidence, such as the power to search premises and remove documents.
If Facebook is found to have failed to protect its users, it will be liable for some form of enforcement action under GDPR.
Wassall believes a fine of some sort is “very likely”, given Facebook’s track record with the DPC and other regulators.
But whether a fine will be under GDPR is unclear, because it does not apply to breaches occurring before 25 May 2018. Given that the passwords were kept in plain text before then, but continued to be afterwards, makes the situation less clear cut.
Wassall said he doubted that regulators would “be bold enough” to pursue the entire, continuous breach under GDPR, as it would “provide an easy opportunity for the penalty to be appealed” and risk it being “struck out altogether”.
Facebook password breach: privacy woes continue
The Facebook password breach inquiry marks the 11th investigation into Facebook and its subsidiaries by the DPC. The DPC said it expects to give the findings of its first investigation into Facebook’s use of personal data this summer. The rest are expected by the end of the year.
Big tech firms, such as Twitter, Apple and Microsoft, have been drawn to Ireland by its low corporation tax.
It means that Ireland has lead regulatory power over some of the world’s most powerful companies. However, critics have pointed out that the DPC is yet to bring an enforcement action against a big tech firm.
“Ireland has a strong role to play in ensuring the world of social media complies with GDPR regulations, and since Canada has already found Facebook to seriously contravene its privacy laws, one would expect the Irish regulator may find it violating GDPR as well,” said Anjola Adeniyi, technical leader for EMEA at cybersecurity firm Securonix.
The latest scandal comes just days after Facebook said it had set aside at least $3bn for a Federal Trade Commission fine for privacy failings.
Despite this, and a tumultuous 2018 riddled with scandals, Facebook’s Q1 results showed a 26% increase in advertising revenue. The $15bn in revenue is the strongest start of the year for the social media behemoth since it launched 15 years ago.