Facebook is creepy spyware no-one should use. (I use it.) And it’s no secret that the company likes to hang on tight to two things: its money and your data. But having lost the data, they might now face being parted from a significant wedge of the money too.
Facebook revealed last Friday that a hack had exposed the accounts of over 50 million of its users. Not only was their data at risk, but the hack also gave the attackers the ability to take over users’ accounts. When they broke in the hackers took not just usernames and passwords but access tokens, which allow a user to stay logged in across devices and sessions without re-entering their password.
With those tokens it was possible for attackers to gain control of a user’s Facebook account and send infected attachments and to log into third-party applications that use Facebook login. (Social sign-in is popular because it’s easy, so a lot of sites offer it – including banks, communication apps and more.)
Facebook issued the usual apology and expression of relief that it had caught the problem in time, but it may not have done it quickly enough for Irish regulators.
In fact, Facebook may be the first big corporation to get seriously whomped by GDPR.
Spanish regulators have joined in, and there’s a chance that this is the moment when GDPR proves it has real teeth.
Facebook’s own internal investigation continues, but, says Protecture Limited senior data protection lead RowannaFielding,
‘Facebook should have tested the ‘view as’ function with a “what could an attacker do with this” mindset and they either didn’t, or didn’t care about the gaping hole.
Dr Lukasz Olejnik, an independent cybersecurity and privacy adviser, noted that this was the first major GDPR investigation that would test whether Facebook followed its rules around security of data processing.
‘This high-stakes matter may become the defining moment of GDPR,’ he said.
Other data security experts believe that Facebook will get off lightly.
‘The Irish regulator doesn’t really have a track record of robust enforcement, so I don’t think Facebook is likely to be concerned about penalties they might levy,’ said Fielding.
She said that the $1.63bn potential fine was ‘unlikely,’ describing it as a “ceiling, not a stipulation”.
‘However, the precedent set by any regulatory finding of unlawful processing could be very significant, especially in follow-on litigation by individual data subjects affected,’ she added. ‘Facebook faces $1.6bn fine and formal investigation over massive data breach,’ Olivia Solon/The Guardian