Last Friday, Facebook announced that over 50 million users were part of a data breach, one of the largest in the company's 14-year history. Now, after one week, the circumstances of those attacks are still not clearly published by Facebook. Authorities ask for answers.
According to the New York Times, three software flaws in Facebook’s systems allowed hackers to break into user accounts. Facebook said the attackers had exploited two bugs in the site’s “View As” feature, which allows users to check on what information other people can see about them.
Attackers took Facebook access tokens
Attackers could then take Facebook access tokens, allowing them to fully take over a person’s Facebook account. As a reaction to the attack, Facebook forced more than 90 million users to log out last Friday for security reasons. However, Facebook is still assessing the full impact of the attack. They do not yet seem to know who was behind the attack or even what the impact of it will be, as scroll in reports.
“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code.”
said Guy Rosen, vice-president of product management at Facebook.
Were Europeans affected?
The Irish data protection commissioner (responsible for regulating Facebook’s activities in Europe) announced in a statement via Twitter on Monday that the number of potentially affected EU accounts “is less than 10 per cent of the 50 million accounts in total potentially affected by the security breach”. This means that approximately 5 million of the users affected by the breach may be EU citizens or located in the EU, the Irish Times reports.
“Facebook has assured us that they will be in a position to provide a further breakdown in relation to more detailed numbers soon,”
the commission added.
What did Facebook do after the attacks?
In a blog post responding to the data breach, Facebook said its “investigation is still in its early stages” and that it was taking the issue “incredibly seriously”.
Facebook also stated that it had fixed the vulnerabilities and notified law enforcement officials (company had alerted the Irish DPC and the U.S. Federal Bureau of Investigation), as IAPP reports.
Comments and Reactions
Not surprisingly, the news spread fast through the privacy world – not only in the US, but also in Europe. And we did not have to wait long for reactions of Commissioners and politicians.
EU Justice Commissioner Vera Jourova urged Facebook to “fully cooperate” with the Irish DPC, and European Commission Vice-President for the Digital Single Market Andrus Ansip used the occasion to call for more security design in software, IAPP reports.
However, for advertisers on Facebook, Friday’s security breach seem to “barely register”, as adweek reports.
“[Data breaches have] happened so many times that people are like, ‘Well, this sounds pretty bad, but what are we going to do?’ We still have to advertise on Facebook, … At some point you become so used to it that it barely registers”,
said Kevin Urrutia, a co-founder and partner at the agency Voy Media, which specializes in Facebook and Instagram advertising.
GDPR enforcement becomes more important
Since the implementation of the GDPR on 25 May 2018, new measures are necessary when a company has discovered that a data breach has occurred. According to Art. 33 GDPR,
“in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
The Irish DPC confirmed it was alerted to the data breach – within the 72-hour breach notification limit – but added it “is awaiting from Facebook further urgent details of the security breach” and whether EU users were affected.
We will see if Facebook will be ready to comply with the GDPR-requirements in the future. If not, the GDPR gives data protection authorities the opportunity to sanction them with high fines – up to 4 % of the worldwide annual turnover of the company or 20 mio Euro are possible…