Facebook’s lead regulator in the European Union, the Irish Data Protection Commissioner (DPC), on October 3 began an investigation into a massive cyberattack on the social networking site disclosed by the company last week. Facebook said that hackers had stolen login codes that allowed them to access nearly 50 million Facebook accounts, its worst-ever security breach given the unprecedented level of potential access.
“In particular, the investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organizational measures to ensure the security and safeguarding of the personal data it processes,” the DPC said in a statement.
Facebook spokeswoman Katy Dormer declined to comment on the agency’s review.
Under the new GDPR European privacy regulations, which came into effect in May, breaking privacy laws can result in fines of up to 4 per cent of global revenue or 20 million euros, whichever is higher, as opposed to a few hundred thousand euros previously.
The DPC, which regulates a number of US multinationals with European headquarters in Dublin, said Facebook informed it that their own internal investigation is ongoing and that the company continued to take remedial actions to mitigate the potential risk to users.
Facebook said on Tuesday that investigators had determined that the hackers did not access other sites that use the social networking site’s single sign-on. The US Federal Trade Commission on Wednesday advised Facebook users to consider changing their passwords and be on the alert for “imposter scams” targeting them with data stolen from the social networking site.
“If someone calls you out of the blue asking for money or personal information, hang up,” FTC attorney Lisa Weintraub Schifferle said in an alert posted on the agency’s website.
Some security experts, including a former Facebook executive, said the company may have painted a worst-case scenario when it disclosed the attack on Friday to ensure compliance with the strict new European Union privacy rules.
GDPR imposes steep penalties if companies fail to follow rules that include a requirement that they disclose breaches within 72 hours of discovery. That is a tight window that security experts say does not give investigators adequate time to determine the impact of the breach. Facebook’s latest vulnerability had existed since July 2017, but the company first identified it of last week.