Facebook could be slapped with $1.6bn GDPR-related fine for 50m user data breach

Mark Zuckerberg European ParliamentFacebook could be set to face a fine of over $1.6bn (£1.2bn/€1.4bn), if it is found to have violated the European Union’s (EU) General Data Protection Regulation (GDPR) over a recent data breach which hit nearly 50m accounts.

At the backend of last week, Facebook revealed that it had discovered a security issue on Tuesday 25 September. The issue, which has since been fixed, was said to involve hackers exploiting a vulnerability within Facebook’s code that allowed them to steal access tokens using the social network’s ‘View As’ feature, which lets people see what their own profile looks like to other users. Access tokens play the role of digital keys that keep people logged in to Facebook when using the app. Facebook says it has temporarily turned off the feature while it conducts its investigation into the issue.

Upon discovery of the breach, Facebook “notified the Irish Data Protection Commission (DPC) in accordance to the obligations we have under GDPR,” according to Guy Rosen, VP of product management. The Irish DPC serves as Facebook’s lead privacy regulator in Europe.

Despite Facebook notifying Ireland’s DPC in a timely manner, the Commission is not satisfied and has demanded more information from the tech giant about the nature and magnitude of the data breach in regards to EU users, reports the Wall Street Journal.

“It is encouraging to see that Facebook have reported the attack promptly and have already begun their investigation into how the breach occurred. It isn’t yet clear how many EU citizens data has been affected but should it come to light that these citizens are among those whose data was breached, Facebook would be subject to hefty fines under GDPR. It appears that the breach was the result of a cyber-attack and not due to negligence, if this is the case then any fines will be proportionate and will take this into account,” said Rachel Aldighieri, MD of the DMA (Direct Marketing Association).

“However, fines are just one of the risks to organisations like Facebook. We believe the long-term effects on customer trust, share price and public perception could have more lasting damage.

“Facebook now has the challenge of re-building the trust of its customer base, a job that might be difficult given the events involving Cambridge Analytica earlier this year. To do this, it’s vital that the organisation focuses its efforts around two of the core principles of the GDPR – accountability and transparency. They need to show that they have done everything possible to ensure such a breach won’t happen again.”

Under GDPR, the EU’s data privacy law which was implemented in May, companies that don’t do enough to protect the user data of EU citizens face maximum fines of €20m or four per cent of the company’s global annual revenue for the prior year, depending on which is higher. In Facebook’s case, it would be the latter and could see it having to cough up a hefty $1.6bn.

In addition to adhering to its reporting obligations under GDPR, Facebook says it has notified US law enforcement about the issue. Meanwhile, it has reset the access tokens for all of the accounts it knows were affected and is also taking steps to resetting the access tokens of a further 40m accounts, which have been subject to a ‘View As’ look-up in the past year, as a precaution. As a result, 90m Facebook users will have to login to the Facebook app again.

Facebook says it is still unclear as to whether the targeted accounts have been misused or what information has been accessed. Furthermore, it doesn’t yet know who is behind the attacks.

“This breach appears to have impacted 50m users of the social network site meaning that a vast amount of personal data is now in the hands of criminals. It is therefore imperative that Facebook are forthcoming in contacting all those affected, provide information on what this breach means for them, and offer support to those who are likely to be very concerned by the news,” said Aldighieri.

“We would encourage any concerned users of Facebook to contact the website through its official channels and also follow the updates that they are likely to provide over the next few days. It is important to remain vigilant in checking your account and bank statements to ensure there’s nothing unusual. There’s no need to panic or cancel cards, but if you do see any suspicious activity we recommend contacting your bank immediately.”