The EU is preparing to investigate Facebook over a data breach which saw 50 million accounts compromised, nearly five million of which are believed to be European users.
Investigators at the Irish Data Protection Commission (IDPC), the lead supervisory authority for Facebook in the EU, are gathering information and establishing the basis for an inquiry under the General Data Protection Regulation introduced this year.
If it is found to have broken the guidelines, the social media giant could face a maximum fine of 1.63 billion dollars (£1.26 billion), or 4% of annual revenue.
We're working with regulators including the Irish Data Protection Commission to share preliminary data about Friday's security issue. As we work to confirm the location of those potentially affected, we plan to release further info soon. https://t.co/Cs1uSMtBNk
— Facebook (@facebook) October 1, 2018
Graham Doyle, head of communications at the IDPC, said: “Before we would launch any investigation there are steps that would have to be taken in relation to information gathering and preparing the scope of an inquiry.
“Furthermore we would need to establish under which provisions of the Data Protection Act 2018 we would conduct it. We are currently engaged in those steps.”
Facebook confirmed on Monday it was working with the IDPC to “share preliminary data” about the breach.
Mr Doyle added: “Facebook issued a blog on Friday last indicating that 50 million accounts were potentially affected by a security issue. We understand that the number of EU accounts potentially affected is less than 10% of that.
“Facebook has assured us that they will be in a position to provide a further breakdown in relation to more detailed numbers soon.”
On Friday the social media giant, which has more than 2 billion users worldwide, announced engineers had discovered a “security issue” which allowed hackers to easily collect access tokens from 50 million accounts.
The tokens work as digital keys, letting those who hold them log into Facebook accounts without entering a password, said Guy Rosen, Facebook’s vice president of product management.
Mr Rosen said the affected tokens have been reset but experts have since warned the same digital keys could have been used to log into any third-party services linked to compromised Facebook accounts.
“Effectively what that means is, for a while, people would have been able to hack into your Spotify or Tinder or any other account if they were connected via Facebook,” said Graham Cluley, an online security analyst and author based in Oxford.
It is still unclear whether hackers took any personal data from the compromised Facebook accounts, he said, and third-party services would have been unable to detect the difference between a legitimate user logging in or someone using a stolen access token.
“This isn’t the first time there has been a big security scare with Facebook and people put an enormous amount of trust in that website. I’m not sure that’s a sensible thing to do,” he added.
In July, the Information Commissioner’s Office fined Facebook £500,000 for a data breach related to the Cambridge Analytica scandal.
ICO deputy commissioner of operations James Dipple-Johnstone said: “It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.
“We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”
