Facebook could be fined up to £1.26 billion by EU for recent data breach

Facebook maintained full access to friends data since 2014, says Parliament

News / Facebook could be fined up to £1.26 billion by EU for recent data breach

Facebook could be fined up to £1.26 billion by EU for recent data breach

Last Friday, Facebook announced that an unknown hacker or a group of hackers gained access to access tokens of as many as 50 million accounts by exploiting three vulnerabilities in the platform.

Using the stolen access tokens, the hackers could, Facebook said, access Facebook accounts of the affected users and could also access services that Facebook users logged in to using Facebook's Single Sign-on facility. To minimise the damage hackers could cause in the coming days, Facebook reset access tokens of up to 90 million users immediately.

Irish Data Protection Commission looking into Facebook breach

Soon after Facebook disclosed the massive breach to all users, the Irish Data Protection Commission expressed concern that the breach was discovered only last week and that Facebook was "unable to clarify the nature of the breach & risk to users".

A couple of days later, the Commission requested Facebook to share with it "further urgent details of the security breach" as well as information about the number of EU users who were affected by the incident. It said that these details were necessary for it to "properly assess the nature of the breach and risk to users".

Soon after the Data Protection Commission issued the reminder, Facebook revealed that out of the 50 million users who were affected by the breach of access tokens, less than 10 percent were EU users and that it would provide a further breakdown in terms of more detailed numbers "soon".

Following Facebook's disclosure, Ilia Kolochenko, CEO and founder of High-Tech Bridge, said that from a legal point of view, the incident could become a notorious milestone of GDPR enforcement by the EU regulators.

"A multi-million fine is not that impossible under the integrity of circumstances. As for the US, a class action and individual lawsuits can cause a lot of trouble for Facebook, potentially with even higher penalties or settlements, exacerbated by legal costs and a jeopardized public image," he said.

According to The Wall Street Journal, if the European Union privacy watchdog determines that Facebook did not do enough to ensure the privacy and digital security of millions of users in the EU region, Facebook could face a fine of up to $1.63 billion (£1.26 billion) under the new GDPR regulations.

Lack of compliance to GDPR rules or a violation of the 72-hour breach notification window can attract a maximum fine of either 20 million euros or 4% of a firm’s global annual turnover, whichever is higher. Considering Facebook's global presence and its dominance in the social media world, the fine imposed on it could easily exceed a billion euros.

Facebook could attract an exemplary fine

If Facebook does get fined eventually, it won't be a first, at least in Europe. The European Commission fined Facebook €110 million in 2016 for lying about its plans to share user data with WhatsApp. During the EU's investigation into Facebook's merger with WhatsApp in 2014, the social media giant told the Commission that it would be unable to establish reliable automated matching between Facebook users' accounts and WhatsApp users' accounts. However, in August 2016, WhatsApp updated its privacy policy and terms & conditions to include the ability to link WhatsApp users' phone numbers with Facebook users' identities.

In July this year, the UK's Information Commissioner's Office fined Facebook an exemplary £500,000 under the 1998 Data Protection Act for failing to prevent data analytics firms (such as Cambridge Analytica) from harvesting personal details of millions of users.

Commenting on the fine issued by the ICO to Facebook, Christopher Littlejohns, EMEA manager at Synopsys, said that the fine imposed on Facebook was a salutary lesson to companies operating within the European region and that a fine of such magnitude could top hundreds of millions under the newly-implemented GDPR.

"Such fines are potentially so large they can significantly affect operating margin, and ultimately share prices of large companies. Personal data collectors and aggregators are particularly at risk to these issues, due to the scale and value of the data they collect; and consequently should be extremely vigilant and diligent in their custodianship of such data.

"Companies that do not undertake effective risk analysis, data privacy management, ongoing diligence, and open communication with users and authorities when breaches occur will potentially face severe business impediments at best, and existential threats at worst," he added.

The following two tabs change content below.

Jay Jay

Jay has been a technology reporter for almost a decade. When not writing about cybersecurity, he writes about mobile technology for the likes of Indian Express, TechRadar India and Android Headlines

Comments

Most Popular

Get the latest cyber news in your inbox

Join our community of cyber professionals today!