Facebook’s security breach, which saw profiles of up to 50 million users exposed, could see the company face a fine of up to $1.6bn under EU data protection laws.
The social network confirmed on Friday that yet to be identified hackers exploited a flaw in the ‘View As’ tool, which lets users view their own profile as another user. Hackers used this vulnerability to gain access tokens, granting them control of affected accounts.
The attack appears to have affected users across the world, with the BBC reporting that founder Mark Zuckerberg’s account was among those compromised.
As part of the fix, Facebook logged out 90 million affected accounts – putting the number of affected accounts as high as 4% of its total monthly active users. But does the Facebook security breach warrant a maximum GDPR fine of 4% of its global annual turnover?
4% fine for breaching 4% of users?
Under GDPR, companies face an upper tier fine of €20m or 4% of global annual turnover of the previous financial year – whichever is highest.
However, these fines are applied on a sliding scale that is dependant on several factors, as outlined by the UK’s data protection body, the Information Commissioner’s Office (ICO).
One of those is the severity of the breach. It is still unclear whether these accounts were misused, or if any information was stolen. As investigations by Facebook and data protection bodies around the world unfold, this could become a key point in determining the size of the fine.
Jake Moore, cybersecurity specialist at ESET UK, described the attack “ironic”, given the ‘View As’ feature is used by users to manage security.
“If accounts were targeted by hackers they could have stolen personal information that was previously seen as private,” he said.
Time is also a factor. GDPR gives companies 72 hours to report the breach to the relevant authority after becoming aware of it. Facebook confirmed that it informed Ireland’s data regulators the DPC – where it’s European subsidiary is based – within this time frame. It has also informed the police.
However, the DPC called for more details from Facebook. In an email to the Wall Street Journal it siad it is “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”
Chris Morales, head of security analytics at Vectra commended Facebook for identifying the security breach so quickly, adding that this particular software flaw compromise “isn’t surprising.”
“All code has these forms of flaw that allow unintended use of software, and the more complex the software gets the more likely these type of flaws exist,” he said.
If investigations find that more could have been done to prevent this flaw, it could be a factor against the company.
Morales added that it was currently unclear what “other information was taken or how else those accounts were used” beyond the access tokens.
Facebook security breach could be politicised
With serious incidents, companies must also notify the affected users. Again, Facebook has done so, logging users out of their accounts and making them change their password as a security precaution.
It also provided users with a message explaining why they had to re-login, as well as explaining the security breach further in blog posts.
The flaw has also been fixed, according to the company’s vice-president of product management Guy Rosen. All of these steps point to Facebook taking the appropriate course of action since discovering the breach.
Future investigations will consider these mitigating factors when determining any enforcement. If misuse or data theft of affected accounts is minimal, Facebook is unlikely to feel the full force of a maximum GDPR fine.
However, with European regulators unhappy with Facebook and other large tech companies avoiding tax, there is the chance that punitive measures for this security breach could become political.
“The idea of Facebook facing massive GDPR fines could be viewed as somewhat premature,” said Matt Walmsley, EMEA Director at cybersecurity company Vectra.
“Whilst the EU GDPR includes the provision of sizable punitive fines, they would likely be reserved for organisations who have been both negligent in their compliance, and uncooperative in their engagement and response to the investigating GDPR supervisory authority.”
In a blog post, Facebook CEO Mark Zuckerberg said:
“We face constant attacks from people who want to take over accounts or steal information around the world.
“While I’m glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place.”
In a statement, the Information Commissioners Office (ICO) said that they would be “making enquiries” with Facebook and working with overseas regulatory bodies in their investigation.
They added that it’s the responsibility of the company to identify when UK citizens are involved in a data breach and “take steps to reduce any harm to consumers”.
It is the latest potential GDPR violation by Facebook, with it last week emerging that Facebook used personal data not directly provided by users to target them with adverts.
Facebook has previously had run-ins with the ICO after it issued a £500,000 fine for its handling of user data in the Cambridge Analytica scandal – the maximum penalty from the pre-GDPR era.
It adds to a difficult year for the social network, which has prompted campaigns such as #DeleteFacebook.
“It is unfortunate for users […] and it is also unfortunate for Facebook at a time when they under intense scrutiny along with the recent departure of Facebook’s CSO, Alex Stamos,” said Morales.