Will Facebook be the first company hit with a GDPR fine?
In August, we reflected on how Facebook was having a tough year. The Cambridge Analytica scandal resulted in Mark Zuckerberg having to face down US Senators at a Congressional hearing, and the company’s value plummeted over £90 billion in just a few days as a result.
At the time, we speculated about the size of the fine that Facebook could have expected to face if the breach had fallen under the recently introduced GDPR. The social media giant reported $40 billion in revenue last year, which would roughly work out to a penalty of $1.6 billion – or £1.21 billion – if regulators enforced the maximum punishment of 4 per cent of annual earnings.
Just two months later, our calculations may be put to the test, with Facebook forced to admit hackers have again breached the organisation’s defences.
How did the breach occur?
On September 24th, Facebook engineers found system weaknesses that allowed cyber criminals to take over users’ accounts. The problems were patched two days later, but the company had to inform regulators the breach directly affected approximately 50 million profiles.
Hackers were able to exploit vulnerabilities in Facebook’s ‘View As’ feature, which enables users to see how their profile looks to other people. As a result, the unknown individuals could steal Facebook access tokens, helping them over-ride user accounts. Access tokens allow users to stay logged into their account without having to key in their password each time.
The breach may also have enabled cyber criminals to steal digital keys that allow users to log in to external services and apps, such as Instagram, using their Facebook account.
What actions have been taken since the breach?
Facebook reset the passwords of almost 50 million affected accounts, as well as a further 40 million profiles it suspects could have been targeted. According to Forbes, less than 10 per cent of the 50 million affected users were based in the EU.
Nevertheless, the Irish Data Protection Commission (DPC), which monitors Facebook’s adherence to GDPR, announced earlier this month that it has opened a formal investigation into the breach. The news was confirmed via a DPC tweet, which we’ve published below:
Investigation commenced into Facebook data breach. @DPCIreland statement beneath. #dataprotection #GDPR #eudatap pic.twitter.com/7eHKUigTq5
— Data Protection Commission Ireland (@DPCIreland) October 3, 2018
The DPC has also shown concern over the lack of detail Facebook has provided about the breach. The company was unable to clarify the nature of the incident and the subsequent risks to users.
What happens next?
Media reports are estimating Facebook could be fined $1.64 billion, with this figure likely based on the organisation’s 2017 revenues.
However, the firm’s H1 revenue for 2018 showed 45 per cent year-on-year growth to $25.2 billion. If Facebook matches this performance in the second half of the year, a maximum fine could easily surpass $2 billion.
Cyber security experts have expressed some doubt over whether the DPC will impose such a sizeable fine. Rowenna Fielding, a Senior Data Protection Lead at Protecture Limited, told the Guardian that a maximum penalty is “unlikely”.
“The Irish regulator doesn’t really have a track record of robust enforcement, so I don’t think Facebook is likely to be concerned about penalties they might levy,” she explained.
That said, Ms Fielding said a regulatory finding that Facebook unlawfully failed to safeguard the personal data it processes would be significant and could lead to civil litigation from affected users.
Are your systems GDPR compliant?
Many businesses will be eyeing the outcome of the DPC investigation with keen interest.
Will the regulator make an example of Facebook by imposing a substantial fine to send a message? Or is the company likely to receive a slap on the wrist for any shortcomings that are uncovered?
Either way, the investigation will no doubt encourage firms to re-examine their own data protection and security measures to ensure they remain GDPR compliant.
Is now the time to strengthen your IT and security processes? Contact me on 020 7936 2601 today, or via email at am@barclaysimpson.com to discuss your cyber security recruitment needs.
Our Market Reports combine our review of the prevailing conditions in the security & resilience recruitment market with the results of our latest employer survey.
Explore the latest cyber security and IT security jobs.