Will regulators levy a $1.63b fine on Facebook?
RECENTLY, Facebook disclosed another ‘data breach’, which made users very unhappy.
The hack impacted 50 million Facebook account holders worldwide and is still being investigated.
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else,” explained the company’s VP of Product Management Guy Rosen.
The vulnerability allowed the hackers to steal Facebook access tokens which they can use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
“To protect people’s accounts, we’ve fixed the vulnerability. We have also reset the access tokens of the almost 50 million accounts we know were affected,” said Facebook’s VP of Engineering, Security, and Privacy Pedro Canahuati.
As a precautionary step, the social media giant has also reset access tokens for another 40 million accounts that have been subject to a View As look-up in the last year. In fact, it seems as though Facebook has temporarily turned off the View As feature while it audits the feature.
Given that Facebook has a large presence in Europe, it’ll be subject to the General Data Protection Regulations (GDPR) — which means it could face a fine of up to GBP1.25 billion (US$1.63 billion).
According to the BBC, the regulators seem pleased with the fact that Facebook reported the incident within 72 hours of discovering it as prescribed by law.
The Information Commissioner recognizes that firms may not have all the answers regarding an incident within 72 hours, and that information can be shared as it is discovered.
Data Protection Adviser Jon Baines from the law firm Mishcon de Reya LLP told the BBC that it was impossible to know how likely a fine is at this stage.
“No matter how good an organization’s response is to a personal data breach, it is what went before that will count against it. So, if Facebook is found not to have taken sufficiently robust measures [to prevent the vulnerability], it may be held to have infringed GDPR, even if its response since has been exemplary,” explained Baines.
Users in the US, however, don’t seem as forgiving. According to Bloomberg, the company has been sued in California already.
Overall, it seems as though it will take a little time for regulators and courts across the world to decide if and how much of a penalty can be levied on Facebook — but it seems as though the hack could cost the social media giant a fortune.