sdecoret - stock.adobe.com
Facebook could face a fine of up to $1.6bn under the EU’s General Data Protection Regulation (GDPR) for a data breach that could have affected the accounts of up to 90 million users.
Ireland’s Data Protection Commission has demanded more information from Facebook about the scope and nature of the breach to determine how many EU residents were affected and the risk to users, according to the Wall Street Journal.
The UK’s Information Commissioner’s Office (ICO) has also indicated that it will be making similar enquiries.
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers. James Dipple-Johnstone, ICO deputy commissioner of operations, said in a statement.
“We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”
In July, the ICO revealed that Facebook had been found guilty of two contraventions of the UK Data Protection Act 1998 and could be liable for a monetary penalty up to the maximum allowed under that law of £500,000, but the latest breach took place under the GDPR, which provides for fines of up to 4% of global revenue for serious breaches.
Facebook reported a “security issue” affecting “almost 50 million accounts” on 28 September, three days after detecting the problem and starting investigations.
According to the social networking firm, attackers exploited three vulnerabilities in Facebook’s code related to the “View As” feature that lets people see what their own profile looks like to someone else.
This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts, the company said, explaining that access tokens are the equivalent of digital keys that keep people logged in to Facebook so they do not need to re-enter their password every time they use the app.
Pedro Canahuati, vice-president of engineering, security and privacy, said: “The attackers were then able to pivot from [the stolen] access token to other accounts, performing the same actions and obtaining further access tokens.”
Facebook said the attack exploited the “complex interaction of multiple issues in our code” and stemmed from a change made to the video uploading feature in July 2017.
In response, Facebook said it had fixed the vulnerability, informed law enforcement and reset the access tokens of the almost 50 million accounts known to be affected.
“We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” said Facebook.
The company has also turned off the “View As” feature while it conducts a security review, but admitted it has yet to determine whether accounts were misused or any information accessed.
Location and identity
Facebook said it is also still trying to establish the location and identity of the attackers and will reset the access tokens of any other accounts it believes may have been affected.
Hitesh Kargathra, lead security consultant at Falanx Group, said organisations are being judged less on whether they have suffered a data breach and more on how these breaches are handled.
“Security is never going to be absolute for any organisation and cyber attacks are becoming a fact of life, especially for high profile organisations such as Facebook, which in this case was quick to address the vulnerability once it had been identified and take steps to minimise the risk of further user data compromise and inform the relevant authorities,” he said.
Given the recent attention on Facebook by regulators within the US and abroad, Kargathra said Facebook needed to demonstrate a robust approach to breach management that expressed a focus on the protection of user data and transparency of activities undertaken in response to the incident.
“So far they appear to have ticked the right boxes, but the breach is going to put further pressure on Facebook to validate how user privacy is protected.
“I would expect Facebook to publish further details of the breach following a more in-depth assessment, including how long user accounts were compromised prior to the identification of the breach, the impact of the breach on users and what steps have been taken to protect user privacy in the event of future breaches of the social media platform,” he said.