On Tuesday 24th September, Facebook engineers discovered a data breach that gave hackers the ability to take over users’ accounts. It was patched on Thursday say the company.
The huge data breach leaves thousands of other apps vulnerable.
Biggest breach in Facebook history.
The security breach is believed to be the largest in Facebook’s history. It is particularly shocking because the hackers stole “access tokens”, a digital security key that allows users to stay logged into Facebook over multiple browsing sessions without having to enter their password each time, including logging into third party applications that use Facebook login.
When an attacker has this token, they can take full control of a victim’s account.
The Irish Data Protection Commission started a formal investigation into the breach, which could result in a fine of up to $1.63bn.
The commission regulates Facebook’s adherence to the General Data Protection Regulation or GDPR, a European law which came into effect last May and which strengthens the privacy protections of individuals and introduces harsh penalties for companies that fail to protect user data.
Investigation into breach, compliance with GDPR
In a statement on Wednesday the commission said: –
“The investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it processes,”
The commission noted that Facebook had informed them that its internal investigation was continuing and that the company continued “to take remedial actions to mitigate the potential risk to users”.
“We have been in close contact with the Irish Data Protection Commission since we have become aware of the security attack and will continue to cooperate with their investigation,” said a Facebook spokeswoman.
Shortly after the Irish Data Protection Commission announced its investigation, the Spanish Data Protection Agency announced it would collaborate on the investigation to protect the rights of Spanish citizens.
Facebook under scrutiny.
Facebook is already under heavy scrutiny over issues including foreign interference in elections, its role in spreading misinformation and hate speech and privacy.
Announcing the breach in a blogpost on Friday, Facebook said it was taking the issue “incredibly seriously”.
Over the weekend the commission said it was “concerned that this breach was discovered on Tuesday and affects millions of users”.
Facebook was “unable to clarify the nature of breach and risk” to users at that point, the commission said, adding that it was pushing the company to “urgently clarify these matters”.
Defining moment for GDPR say experts.
An independent cybersecurity and privacy adviser, noted that this was the first major GDPR investigation that would test whether Facebook followed its rules around security of data processing.
“This high-stakes matter may become the defining moment of GDPR,” he said.
Other data security experts believe that Facebook will get off lightly.
One commented “The Irish regulator doesn’t really have a track record of robust enforcement, so I don’t think Facebook is likely to be concerned about penalties they might levy,” continuing that the $1.63bn potential fine was “unlikely”, describing it as a “ceiling, not a stipulation”.
“However, the precedent set by any regulatory finding of unlawful processing could be very significant, especially in follow-on litigation by individual data subjects affected.”