Facebook on Friday said it had exposed certain information on more than 50 million accounts in the largest known security breach in the company’s history. But shoring up security may not be the social media giant’s biggest problem.
The security compromise, which was discovered on Tuesday, September 25, could potentially cost Facebook billions in fines if the European Union dings the company for failing to adequately protect user data under the new General Data Protection Regulation (GDPR). Considering that millions of Facebook’s 2.2 billion users live in Europe, the GDPR’s data protection/privacy rules apply to them. Depending on how much user information or the type of data that has been exposed -- Facebook hasn’t figured that out yet -- the regulatory and financial impact, if any, could be significant.
Facebook Security Breach Details
As for the breach, here’s what happened, according to the social media giant:
- An as-yet unidentified hacker exploited a technical vulnerability in Facebook’s code that impacted its ‘View As’ feature that lets people to see how their profile is viewed by others. The hackers subsequently stole the login tokens (digital keys) of some 50 million people and potentially gained command over their accounts.
- The vulnerability was introduced into Facebook's system more than a year ago when the company updated the "View As" feature.
- The hack extends to users signing on to other accounts using their Facebook login data.
- At this point, Facebook doesn’t know if, how much or what kind of data in the exposed accounts may be out in the open.
- Facebook reset the access tokens for the 50 million people they know were affected and also did a reset for another 40 million accounts that have been subject to a 'View As' look-up in the last year. The net net is 90 million people will now have to log back in to Facebook or any of their apps that use Facebook Login.
- Facebook believes it has fixed the security vulnerability. As a precaution, the company has temporarily turned off the ‘View As’ feature while it conducts its investigation.
“We face constant attacks from people who want to take over accounts or steal information around the world,” Facebook CEO Mark Zuckerberg, wrote in a blog post. “While I'm glad we found this, fixed the vulnerability, and secured the accounts that may be at risk, the reality is we need to continue developing new tools to prevent this from happening in the first place.”
Guy Rosen, Facebook’s VP of product management, issued the company’s apology: “People’s privacy and security is incredibly important, and we’re sorry this happened,” he said in a blog post.
Facebook Security Breach: Industry Reaction
The security breach triggered reactions from across the technology industry. Among the experts and influencers who weighed in with perspectives:
Mark Weiner, CMO, Balbix, a breach control specialist:
"In this case, own software for access tokens had the vulnerability, not a third-party component. This latest breach highlights the critical need to continuously and real-time monitor your entire IT infrastructure to ensure vulnerabilities are proactively managed and prioritized by their business risk."
Jacob Serpa, product marketing manager, Bitglass, a cloud access security brokerage:
“The fact that Facebook allowed hackers to exfiltrate the private details of 50 million users is likely to have a detrimental effect on the company's reputation for quite some time.”
Zohar Alon, co-founder and CEO, Dome9, a security solutions providers:
“As Facebook has just discovered, any vulnerability that is not remediated will be quickly exploited. Facebook and other organizations...must add more layers of defense to their cybersecurity strategy to prevent login credentials from being compromised in the first place.”
Regulatory and Legislative Fallout
Regulators and policy makers also are watching the situation closely.
In the incident’s immediate wake, U.S. Sen. Mark R. Warner (D-VA), vice chairman of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, called it “deeply concerning.” Warner said a “full investigation should be swiftly conducted and made public so that we can understand more about what happened.”
Commissioner of the U.S. Federal Trade Commission Rohit Chopra said he wanted answers. “Breaches don’t just violate our privacy. They create enormous risks for our economy and national security,” he said in a statement. “The cost of inaction is growing, and we need answers.”
Are GDPR Fines On the Way?
Amid the Facebook breach and other recent security incidents, business leaders are waiting to see if or how GDPR-related fines emerge.
Last month, a British Airways breach hit nearly 400,000 customers in what could become the EU’s first big test under the GDPR.
Earlier, U.K. regulators tagged Facebook with the maximum allowable penalty of $650,000 under earlier data protection laws over its unauthorized sharing with Cambridge Analytica of personal data on millions of its users. In that instance, had Facebook been fined under the GDPR the penalty could have been $1.6 billion.