Facebook faces $1.6bn fine and formal investigation over massive data breach

Irish data regulator could penalize the social network after hack of nearly 50m accounts

The Irish Data Protection Commission has opened a formal investigation into a data breach that affected nearly 50m Facebook accounts, which could result in a fine of up to $1.63bn.

The breach, which was discovered by Facebook engineers on Tuesday 24 September, gave hackers the ability to take over users’ accounts. It was patched on Thursday, the company said.

“The investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it processes,” the commission said in a statement on Wednesday.

The commission regulates Facebook’s adherence to GDPR, a European law that strengthens the privacy protections of individuals and introduces harsh penalties for companies that fail to protect user data.

The commission noted that Facebook had informed the commission that its internal investigation was continuing and that the company continued “to take remedial actions to mitigate the potential risk to users”.

“We have been in close contact with the Irish Data Protection Commission since we have become aware of the security attack and will continue to cooperate with their investigation,” said a Facebook spokeswoman.

Shortly after the Irish Data Protection Commission announced its investigation, the Spanish Data Protection Agency announced it would collaborate on the investigation to protect the rights of Spanish citizens.

The security breach is believed to be the largest in Facebook’s history and is particularly egregious because the hackers stole “access tokens”, a digital security key that allows users to stay logged into Facebook over multiple browsing sessions without having to enter their password each time. When an attacker has this token they can take full control of a victim’s account, including logging into third-party applications that use Facebook Login.

The breach comes at time when Facebook is under heavy scrutiny over issues including foreign interference in elections, its role in spreading misinformation and hate speech, and privacy.

Facebook announced the breach in a blogpost on Friday, saying it was taking the issue “incredibly seriously”. Over the weekend the commission said it was “concerned that this breach was discovered on Tuesday and affects millions of users”.

Facebook was “unable to clarify the nature of breach and risk” to users at that point, the commission said, adding that it was pushing the company to “urgently clarify these matters”.

Rowenna Fielding, a senior data protection lead at Protecture Limited, said: “Facebook should have tested the ‘view as’ function with a ‘what could an attacker do with this’ mindset and they either didn’t, or didn’t care about the gaping hole.”

The investigation will focus on ‘Facebook’s compliance with its obligation under (GDPR)’.
The investigation will focus on ‘Facebook’s compliance with its obligation under (GDPR)’. Photograph: Alamy Stock Photo

Dr Lukasz Olejnik, an independent cybersecurity and privacy adviser, noted that this was the first major GDPR investigation that would test whether Facebook followed its rules around security of data processing.

“This high-stakes matter may become the defining moment of GDPR,” he said.

Other data security experts believe that Facebook will get off lightly.

“The Irish regulator doesn’t really have a track record of robust enforcement, so I don’t think Facebook is likely to be concerned about penalties they might levy,” said Fielding.

She said that the $1.63bn potential fine was “unlikely”, describing it as a “ceiling, not a stipulation”.

“However, the precedent set by any regulatory finding of unlawful processing could be very significant, especially in follow-on litigation by individual data subjects affected,” she added.


Olivia Solon in San Francisco

The GuardianTramp

Related Content

Article image
EU data watchdog raises concerns over Facebook integration
Irish commission that regulates site requests urgent briefing on platforms merger

Alex Hern

28, Jan, 2019 @5:40 PM

Article image
Facebook owner Meta fined €1.2bn for mishandling user information
Penalty from Ireland’s privacy regulator is a record for breach of EU data protection regulation

Dan Milmo and Lisa O'Carroll

22, May, 2023 @6:39 PM

Article image
German regulator orders Facebook to restrict data collection
User consent will be required before combining WhatsApp and Instagram account data

Alex Hern

07, Feb, 2019 @12:41 PM

Article image
Facebook among 30 organisations in UK political data inquiry
Information commissioner is investigating use of personal information in political campaigns

Alex Hern

05, Apr, 2018 @4:28 PM

Article image
WhatsApp sharing user data with Facebook would be illegal, rules ICO
Data protection watchdog forces firm to sign an undertaking declaring it will not share user data with parent company before GDPR

Samuel Gibbs

14, Mar, 2018 @1:33 PM

Article image
Revealed: Facebook’s global lobbying against data privacy laws
Social network targeted legislators around the world, promising or threatening to withhold investment

Carole Cadwalladr and Duncan Campbell

02, Mar, 2019 @2:00 PM

Article image
UK regulator to write to WhatsApp over Facebook data sharing
Information commissioner says the chat app committed in 2017 not to share contact and user information

Alex Hern Technology editor

26, Jan, 2021 @4:38 PM

Article image
European parliament approves tougher data privacy rules
‘Groundbreaking’ changes strengthen EU privacy protections, enshrine right to be forgotten and give regulators wide-reaching powers

Samuel Gibbs

14, Apr, 2016 @12:22 PM

Article image
EU agrees draft text of pan-European data privacy rules
New rules will strengthen European citizens’ privacy protections, while a controversial proposal to raise ‘age of digital consent’ to 16 was devolved to member states

Samuel Gibbs and agencies

16, Dec, 2015 @11:30 AM

Article image
Facebook suspends 200 apps as part of investigation into data misuse

After Cambridge Analytica fallout, the company is investigating apps that had access to large amounts of data before 2014

Sam Levin in San Francisco

14, May, 2018 @7:07 PM