Irish data authority probing Facebook over breach of 50 mn accounts

Facebook admitted to the data breach in a blog post last Friday, saying attackers exploited a vulnerability in the website's cod
Facebook admitted to the data breach in a blog post last Friday, saying attackers exploited a vulnerability in the website's code in September in a way that could have given them access to people's accounts

Ireland's data protection authority launched an investigation into Facebook Wednesday, bringing stringent new European privacy laws to bear on the tech titan after a security breach exposed 50 million accounts.

The move comes after the social media firm admitted to the data breach in a blog post last Friday, saying attackers exploited a vulnerability in the website's code in September in a way that could have given them access to people's accounts.

"The Irish Data Protection Commission (DPC) has today, 3 October 2018, commenced an investigation... into the Facebook data breach," a DPC spokesman said in a statement.

"In particular, the investigation will examine Facebook's compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it processes."

The Irish probe has been touted as the first major test of the reformed European regulation which came into effect in May.

GDPR gives regulators sweeping powers to sanction organisations which fail to adhere to heightened standards of security when processing personal data.

Firms can be fined up to four percent of annual global turnover if they fail to abide by the rules—meaning Facebook faces a theoretical fine of 1.4 billion euros ($1.6 billion), based on its 2017 annual revenue of 35.2 billion euros ($40.6 billion).

But on Tuesday the EU's top data privacy official said the social media giant is unlikely to face the maximum penalty because it had adhered to rules requiring notification of the data breach within 72 hours.

This "is one of the factors which might result in lower sanctions", EU Justice and Consumer Affairs Commissioner Vera Jourova told AFP in Luxembourg.

"But this is only theoretical", she added.

Facebook declined to comment when approached by AFP prior to the announcement of the investigation.

In its post on Friday Facebook said the data breach happened on September 25.

"This allowed them to steal Facebook access tokens which they could then use to take over people's accounts," VP of Product Management Guy Rosen wrote.

"We have yet to determine whether these accounts were misused or any information accessed. We also don't know who's behind these attacks or where they're based."

On Monday, Ireland's DPC said staff believe that of the total profiles potentially impacted, less than 10 percent are EU accounts.

Facebook—which has established its international headquarters in Ireland—is already suffering from a tainted reputation on data security following the Cambridge Analytica (CA) scandal.

In that case, tens of millions of users had their personal data hijacked by CA, a political firm working for Donald Trump in 2016.

Explore further: EU warns Facebook not to lose control of data security