Facebook Hack Could Result in $1.63 Billion Fine Under GDPR
In the wake of Facebook’s disclosure on Friday that it had suffered a massive hack, the social media platform now risks facing a massive fine in the EU under GDPR.
On Friday 29th September, Facebook made a shocking announcement that it had suffered a serious cyber attack, describing it as a “highly sophisticated attack”. The company says that cyber criminals, as yet unknown, exploited a security vulnerability in its feature known as “View As”.
The hackers gained access tokens (access tokens are digital keys that keep people logged in) that enabled them to by-pass security measures that allowed them to potentially take control of up-to 50 million accounts and linked apps. The company has said the attack leveraged three multiple bugs that interacted together.
Currently, Facebook has not said whether the attackers attempted to extract data from the affected profiles, however, Guy Rosen Vice President of product management told the New York Times that the hackers had tried to purloin private information from the company’s systems. Rosen added that at present they were unable to determine the extent to which third-party apps could have been compromised.
In response to the attack, Facebook was forced to reset those access tokens and those of 40m other users as a precaution, meaning if you were logged out of your devices, you were affected by the hack. The company has confirmed that Facebook founder Mark Zuckerberg and its chief operating officer Sheryl Sandberg were among the accounts affected.
Rosen wrote on Facebook’s blog: “People’s privacy and security is incredibly important, and we’re sorry this happened. It’s why we’ve taken immediate action to secure these accounts and let users know what happened. There’s no need for anyone to change their passwords.”
Did Facebook Hack Breach GDPR?
According to the Wall Street Journal (WJS) the incident has already raised the threat of a $1.68 billion dollar fine in the European Union. This figure represents 4% of the company’s global annual revenue for the prior year; alternatively, the company could be fined a maximum of €20m.
Under GDPR companies that have been hacked are obligated to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of worldwide revenue. Details around the incident remain murky at best and even the EU’s top privacy watchdog for Facebook, Ireland’s Data Commission is struggling to get a clear explanation as to what happened.
In an emailed statement to the WSJ, the regulator stated it was “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”
EU regulators have yet to use GDPR to levy fines yet and it remains to be seen whether they would apply the maximum fine, or if any at all, especially if they determine that Facebook had taken all the necessary steps to protect their users’ data. Facebook began notifying its users of the breach over the course of the weekend, however, it has been silent throughout that period, which indicates it is still the process of gathering that data or is deciding how best to disclose it.
This incident comes at an inopportune time for Facebook, which is facing intense scrutiny over its capability to protect user data. The EU recently demanded that the company better disclose to users “how their data is being used or face consumer-protection sanctions in several countries”. Furthermore, in the US the Federal Trade Commission is at present investigating whether several data breaches including the Cambridge Analytica scandal and data-scraping incident that affected most of its 2.2bn users violated a 2011 content decree on user privacy.
More recently, the co-founders of Instagram announced their departure from Facebook due to creative differences, while earlier in the year the WhatsApp co-founders also departed Facebook due to data privacy clashes with Mark Zuckerberg during the Cambridge Analytica scandal. Each of these departures garnered negative headlines for Facebook and painted Zuckerberg in an unflattering light.