Europe's GDPR law could see Facebook hit with $1.63 billion fine over recent hack

midian182

TechSpot Editor
Staff member

The flaw, which involved using the site’s “view as” and video uploader features, allowed hackers to steal Facebook’s access tokens and take over people's accounts. The company is still investigating whether it also allowed attackers to access more personal data such as direct messages.

According to the Wall Street Journal, Ireland’s Data Protection Commission, which is Facebook’s lead European privacy regulator, wants more information about the incident, including details on which EU citizens might have been affected.

The commission said it was “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”

Under Europe’s recently introduced General Data Protection Regulation (GDPR) law, companies that fail to do enough to protect their customers’ data face a maximum fine of $23 million, or 4 percent of their global revenue for the prior year, which is where the $1.63 billion figure comes from. Firms must also notify regulators of breaches within 72 hours or face a maximum fine of 2% of their worldwide revenue—it appears that Facebook complied with this particular rule.

European regulators are yet to use the GDPR law to hand out a fine, so it remains to be seen whether Facebook will be the first to receive such a punishment. A spokeswoman for the company said it would respond to follow-up questions from Ireland’s DPC and keep regulators up to date with its investigations.

Guy Rosen, Facebook’s vice president of product, warned that the stolen access tokens could be used to access other third-party apps that use Facebook logins, such as Spotify, Tinder, and Instagram, though there has been no confirmation of any accounts being breached.

Permalink to story.

 
S

senketsu

Canada needs to adopt the tactics of the EU. A few fines and we could halve our government's deficit.
 
  • Like
Reactions: Rayzor
That's right, fine the victim. I don't care for Zuck, but this is stupid.
You sure have a funny definition of "victim" here. Zucky isn't a victim, nor would he be paying the fines. The victims are the people whose security was breached, and personal data leaked or stolen. I didn't think this even needed to be stated.
 

cliffordcooley

TS Redneck
You sure have a funny definition of "victim" here.
So you are saying: if Techspot gets hacked, Julio Franco would not be a victim?

Because you think Techspot being his site. He should have had the security so tight, that no one should have been able to hack in.

Anyone on the opposite end of a hack is a victim. So no, I think it is you who has a funny definition of victim.
 

Rayzor

TS Rookie
You sure have a funny definition of "victim" here.
So you are saying: if Techspot gets hacked, Julio Franco would not be a victim?

Because you think Techspot being his site. He should have had the security so tight, that no one should have been able to hack in.

Anyone on the opposite end of a hack is a victim. So no, I think it is you who has a funny definition of victim.
The point isn't that companies can't have bugs or breaches. It's to make sure those companies handle the breach responsibly and that the bugs didn't go unpatched for a significant amount of time which would have prevented the breach in the first place. Facebook should get a pass this time if they meet these requirements. Now, the 2FA fiasco is another story and if it shakes out the way it looks like it will they should be fined the maximum amount. In that case it looks like they are not only intentionally abusing private customer data but data that was provided to them explicitly for security purposes.
 

cliffordcooley

TS Redneck
@Rayzor - I get what you are saying and agree. However data collection and security is two different things. You can't punish someone over data collection, by using an incident from an outside force. If they want to come forward and state Facebook can no longer store data on everyone because their security sux. That is one thing. That is not what they are doing, they are using this data breach as an excuse to pursue money collection for themselves. That is criminal on their part. If there is any money collected it should be from the hacker.

Edit:
And before you say I didn't read what you said. I will say I did read. And I disagree with the notion that these companies can secure data collection. There is no such thing as absolute security. Therefor the only fix would be to prevent data collection. Hence the reason why I didn't open dialog into a grey area..
 

Rayzor

TS Rookie
Security is hard, maybe impossible but it doesn't mean companies get a pass if they choose to collect private data. Facebook hasn't been fined over this yet and it is well within the EU's right to get the details to protect their citizens, as it should be for every other country including the US. If Facebook can show that they have reasonable security practices then there should be no fine. But, if we find that these specific bugs were revealed to the company months ago and no patches were developed, and some 14 year old was responsible for the breach with a downloaded exploit kit. Then the EU should go after Facebook and your government should too.