Facebook faces the possibility of a heavy fine over recent data breach of over 50 million accounts as per the General Data Protection Regulation.
The General Data Protection Regulation (GDPR) is a set of stringent privacy laws designed to protect user data of individuals living in the European Union. The law holds that companies which don’t protect user data adequately can face maximum fines of €20 million ($23 million), or 4% of the company’s global annual revenue from the last year (whichever is the bigger amount).In the case of Facebook, the maximum amount will be $1.63 billion.
Another requirement by the GDPR is to report any breach/potential breach within three days of the incident. In case, this is not done a maximum fine of 2% of the annual revenue shall be applied.
Facebook did satisfy the second requirement by notifying Ireland’s Data Protection Commission (DPC) regarding the breach on 28th September.
The DPC, however, said that the Facebook notification regarding the breach “lacked detail.” Facebook announced the breach on Friday saying that an unknown hacker had breached facebook’s site, compromising the accounts of 50 million users.
According to the Official Security update by Facebook, the breach involved facebook’s ‘view as’ feature. Facebook’s VP for product management, Guy Rosen said regarding the breach:
Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View as”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
As preliminary damage control measures, Facebook said that they have reset the access token to almost 50 million accounts known to have been affected by the breach along with an additional precautionary measure of resetting the access token for another 40 million accounts that have been looked up via the “View As” feature in the last one year.