Facebook Hack May Result In GDPR Penalty
Irish regulator says 10 percent of the hacked 50 million Facebook accounts are based in Europe
Facebook could be in breach of Europe’s data protection rules (GDPR) after a hack last week that is said to have affected 50 million users.
The major security breach happened last Friday, after Facebook admitted that hackers may have gained access to nearly 50 million accounts by exploiting flaws in the social network’s code.
This is the largest breach in the company’s history, and although Facebook has already patched the code vulnerability, the social network could be exposed to stiff financial penalties under the GDPR.
Facebook breach
Facebook on Friday admitted that its engineering team had discovered a security issue affecting almost 50 million accounts.
It said it has informed law enforcement officials.
“But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else,” said Zuckerberg’s company.
“This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” it said. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
It said it had reset the access tokens of the almost 50 million accounts it knows were affected in order to protect their security. It has also taken the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year.
It has not revealed whether other services which customers utilise their Facebook log-ins for, such as Spotify, Flixster Video etc, have also been affected.
The Irish Data Protection Commission has tweeted that less than 10 percent of the 50 million are believed to be European accounts.
However, this could mean that Facebook will be impacted by the GDPR, and the Wall Street Journal for example has reported that Facebook could face a maximum fine of up to $1.63bn (£1.26bn) – which 4 percent of the annual global turnover at the social networking giant.
Hefty fines?
Security experts expressed concern at the breach and warned that Facebook is not able to protect personal data when it is such a valuable resource on the dark web.
“Despite the CEO’s previous testimony and efforts, today’s Facebook data breach is evidence that despite their size, investments and elite security teams, they are unable to protect their business and your privacy,” said Bill Conner, CEO of cybersecurity company SonicWall.
“Personal information is simply too valuable on the Dark Web,” said Conner. “As long as stolen data continues to fetch high prices and equip perpetrators with the means necessary to carry out attacks, hold victims ransom, extort information or destroy property, organisations must exhaust all measures to diligently detect and protect their networks, devices and users.”
Another expert touched upon the impact for European users and the possibility of a GDPR fine.
“It is encouraging to see that Facebook have reported the attack promptly and have already begun their investigation into how the breach occurred,” said Rachel Aldighieri, MD of the DMA. “It isn’t yet clear how many EU citizens data has been affected but should it come to light that these citizens are among those whose data was breached, Facebook would be subject to hefty fines under GDPR.”
Another expert said that firms need to act proactively to protect sensitive data.
“The revelations coming out of Facebook today should be a wake-up call for the industry – abiding by the status quo of security is simply not an option,” said Justin Fier, director for cyber intelligence at Darktrace
“Every single organisation needs to take a hard look at how they are protecting their sensitive data, where they are investing their money, and what technologies they are using for defense and response,” said Fier. “If Facebook can be breached, we have to assume that all organisations either have been breached or will be soon.”
“In order to bypass Facebook’s security controls without raising alarm bells, this attack would have had to be complex, sophisticated, and stealthy,” he concluded.
Another expert pointed out that Facebook has been through the mill of late.
“This news comes at one of the worst times for Facebook, since the company has already been under fire multiple times this year amid data security concerns,” said Tyler Moffit, senior threat research analyst at Webroot.
“Unfortunately, there is very little the 50 million, potentially 90 million, affected Facebook users can actually do here,” he said. “The attack leveraged an exploit that holds Facebook and its code 100% accountable.”
Another expert warned that users utilise two factor authentication to protect their accounts.
“In light of this attack, I would advise that users seriously consider two factor authentication to better secure accounts and protect the personal information they hold,” said Jake Moore, cyber security specialist at ESET UK.
Last week a white hat hacker in Taiwan made headlines when said he would live stream a hack of Mark Zuckerberg’s Facebook page on Sunday.
However he later backed down and said he would rather report the vulnerability to Facebook as part of its bug bounty program.