Facebook hack heading for GDPR penalty?
October 03, 2018 : Could last Friday's Facebook hack result in substantial financial backlash from the ICO? If Facebook is found to be in breach of Europes data protection rules (GDPR) they could be facing hefty fines. The latest Facebook hack is said to have affected 50 million user accounts. Facebook admitted that hackers exploited flaws in the social network's code. When approached for comment concerning the Facebook hack, a spokesperson for Zuckerberg's company said:
It’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts,” it said. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
The Facebook employee added that it had reset the access tokens of the almost 50 million accounts it knows were affected in order to protect their security. It has also taken the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. Users whose accounts had potentially been affected were prompted to re-log-in on the day of the breach.
Who is affected by this latest Facebook Hack?
Facebook staff would not comment on where in the world the 50 million users are located. But said it had notified the Irish Data Protection Commission of the breach. The Irish DPC later tweeted that less than 10% of the 50 million are believed to be European accounts. If this is correct, then this latest Facebook hack will be subject to the GDPR, resulting in potential fines of up to $1.63bn (£1.26bn). This represents 4% of the annual global turnover at the social media giant, as reported by the Wall Street Journal.
Consequences of Facebook hack
This latest Facebook hack could not have come at a worse time. The firm is struggling to convince global authorities that it is capable of protecting users' personal data. The firm's founder Mark Zuckerberg said on a conference call last Friday that the firm took security seriously, in the face of "constant attacks by bad actors." However, Jeff Pollard, VP and principal analyst at Forrester, said the fact Facebook held so much data meant it should be prepared for such attacks. Pollard added:
Attackers go where the data is, and that has made Facebook an obvious target. The main concern here is that one feature of the platform allowed attackers to harvest the data of tens of millions of users. This indicates that Facebook needs to make limiting access to data a priority for users...
When Facebook was contacted by the BBC, the firm was unable to say if the investigation would look into why the bugs were missed, or if anyone at the company would be held accountable for the breach.