Facebook is facing a potential £1.2bn fine for a data breach which allowed hackers to access the personal information of 50 million users. The Irish Data Protection Commission (IDPC), the lead supervising authority for Facebook in the EU, officially opened its investigation this week after the social media giant admitted hackers could have accessed the accounts of millions of users through a “vulnerability” last Friday.
An IDPC spokesman said the investigation will focus on Facebook’s responsibility “to implement appropriate technical and organizational measures to ensure the security and safeguarding of the personal data it processes.”
The maximum fine the EU can levy for breaking GDPR rules is four per cent of a company’s annual revenue, or £1.2bn in Facebook’s case.
A Facebook spokeswoman said: “We have been in close contact with the IDPC since we have become aware of the security attack and will continue to co-operate with their investigation.”
On Friday the social media giant, which has more than two billion users worldwide, announced engineers had discovered a “security issue” which allowed hackers to easily collect access tokens from 50 million accounts.
Early estimates point to less than 10 per cent of accounts affected coming from the EU, but it is not clear how many of these are UK-based.
Access tokens work as digital keys, letting those who hold them log into Facebook accounts without entering a password, Guy Rosen, Facebook’s vice president of product management, said.
Mr Rosen said a combination of three bugs in the “View As” feature, which lets users see what their profile looks like from the perspective of other accounts, made these access tokens freely available to copy from the source code of the web page.
It was this vulnerability which allowed “an external actor” to obtain access tokens for more than 50 million accounts, giving them the ability to log in to, and take over, users’ Facebook accounts and any of their other services, like Spotify, Instagram or Tinder, which accept Facebook access tokens.
Mr Rosen said in an announcement on Tuesday that Facebook investigators had “so far found no evidence that the attackers accessed any apps using Facebook Login”.
Hackers are known to sell personal data from Facebook for as little as £3 on the dark web – a part of the internet only accessible through specialist software – although it is unclear how, or if, any personal data from the latest hack has been used.
“This isn’t the first time there has been a big security scare with Facebook and people put an enormous amount of trust in that website. I’m not sure that’s a sensible thing to do,” Graham Cluley, an online security analyst and author based in Oxford, said.
In July, the Information Commissioner’s Office (ICO) fined Facebook £500,000 for a data breach related to the Cambridge Analytica scandal.
ICO deputy commissioner of operations James Dipple-Johnstone said on Friday: “It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers.
“We will be making inquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”