Last weekend news broke of a data breach at the Conservative Party conference via an app, prompting predictions of an embarrassing GDPR fine for the party currently in power. The limelight for this data breach was wholly stolen by Facebook who revealed news of the largest ever data breach in the history of its company on the morning of Friday 28 September 2018 (Pacific Standard Time).
The attackers exploited vulnerability in the site’s ‘View As’ feature to gain access to user accounts and control them. It was speculated that at least 50 million accounts could have been compromised. According to Facebook’s timeline, the disclosure on Friday came just before the 72-hour window under the GDPR, for disclosing the news to privacy commissioners throughout Europe.
Data Commissioners, Regulators and Courts
Ireland’s Data Protection Commission (DPC) stated Facebook’s initial notification to the regulator about the breach, sent on Thursday, “lacked detail” and it has requested further information from the company:
“The DPC is concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts, but Facebook is unable to clarify the nature of the breach and the risk for users at this point,” the DPC said in an emailed statement to Forbes.
On the evening of Monday 1 October 2018 the DPC further mentioned that:
“…the number of potentially affected EU accounts is less than 10% of the 50 million accounts in total potentially affected by the security breach.”
The Information Commissioner’s Office (ICO) in the UK is still determining if its citizens were implicated:
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.
“We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”
The head of Germany’s antitrust watchdog Andreas Mundt told a conference on competition law in Berlin on Monday 1 October 2018 that he was “very optimistic” that his office would take action against Facebook this year after finding it had abused its market dominance to gather data on people without their consent:
“We are currently evaluating Facebook’s opinion on our preliminary assessment and I’m very optimistic that we are going to take further steps…”
Hours after it announced a massive security breach that affected at least 50 million of its users, Facebook faced a class action for the breach in a California court with two Claimants requesting relief and damages against Facebook, in the form of a fine under the California Civil Code.
On Tuesday 2 October 2018 the EU’s Justice and Consumer Affairs Commissioner Vera Jourova expressed concerns that Facebook had lost control of data security after the vast privacy breach:
“It is a question for the management, if they have things under control…The magnitude of the company… makes it very difficult to manage, but they have to do that because they are harvesting the data and they are making incredible money on using our privacy as the commodity,”
“I will know more … in hours or days but according to our knowledge, five million Europeans have been affected out of those 50, which is an incredible number…”
The size of Facebook’s potential fine
The GDPR states that companies must do enough to protect the data of their users or face the higher of a fine of 20 million Euros or 4% of their global annual revenue for the previous year. The latter, in Facebook’s case, would amount to $1.6 billion, according to an estimate from The Wall Street Journal.
A further dip in confidence and reputation
Facebook is still facing ICO (and in the United States – SEC, FBI, and FTC) probes due to the Cambridge Analytica scandal. Investors also seem to be walking away with share prices falling 3.4% after the company announced the breach on Friday.
Third party log-in data and the sale of personal data
Deakin University’s Cyber Security Research Institute professor Matt Warren said Facebook’s data breach meant users’ private conversations, photos and even check-ins could be exposed:
“Several users use a federated log in with Tinder, Spotify and Instagram, meaning their Facebook account can be used to log them in on those sites…The biggest risk with this is that users’ photos, data and location details could have been harvested in this breach…We could start seeing a trend of fake accounts using people’s posts and photos…On the dark net this data could be used as a potential way to make money by blackmailing users or it could be used as a harvest for email addresses to launch spam attacks.”
An investigation into the sale of personal data on the dark web marketplaces by Money Guru has revealed criminals can buy Facebook logins for just £3, and email logins for as little as £2.10. Money Guru also found hackers can purchase the majority of someone’s online life for £744.30 – details such as email addresses, usernames and details associated with accounts such as one’s true name, address and phone number.
What will the future bring
There have of course been other recent high profile breaches under the GDPR (such as British Airways’ disclosure in early September that hackers had for more than two weeks intercepted financial details of clients who made bookings) but none have been on the scale of Facebook’s breach.
Facebook will take comfort that no data breach has been litigated in an English Court since the GDPR came into force. At best, we have only a vague sense of what a strong or weak case would look like.
It is possible that Facebook will face a very large fine from the ICO and indeed other Data Commissioners, whose citizens have been affected. The question that a reasonable Data Commissioner will likely ask in the weeks ahead will be whether a company of Facebook’s size and reputation (who handle the personal data of EU citizens on a daily basis) had actually invested enough in security to avert a data breach of the size seen.