General Data Protection Regulation (GDPR) , Governance & Risk Management , Incident & Breach Response
Facebook Submits GDPR Breach Notification to Irish WatchdogReport Into 50 Million Breached Accounts Is Incomplete, Privacy Watchdog Warns
Facebook, which has its European operations based in Dublin, has notified its relevant data protection authority - the Irish Data Protection Commission - that it suffered a massive breach that put 50 million users at risk. The social network is also forcing 90 million users to log back into their accounts (see 50 Million Facebook Accounts Breached).
Whoever breached Facebook was able to exploit a privacy feature on the site. Facebook, however, says it's still investigating whether this attack was targeted. It's unclear too how many third-party services that allow single sign-on via Facebook may also have been breached.
"We've notified the Irish Data Protection Commission in accordance with our obligations under GDPR," Guy Rosen, Facebook's vice president of product management, said in a Friday press briefing.
Already, however, the DPC, which enforces the country's data privacy laws, has signaled that it finds Facebook's breach report to have been incomplete.
Under the EU's General Data Protection Regulation, which went into full effect on May 25, organizations that suffer a serious breach involving Europeans' personal data must report the breach to relevant authorities within 72 hours of becoming aware of it. Failure to do so, as well as more general information security shortcomings, can expose an organization to steep fines.
Breach Details Required
The U.K. Information Commissioner's office, which is the country's DPA, has told organizations that it doesn't just want a heads-up that an organization has been breached, but rather than it expects to see substantial details about the breach and its impact on victims, all within the 72-hour time frame (see Under GDPR, Data Breach Reports in UK Have Quadrupled).
In July, Laura Middleton, who heads the ICO's personal data breach enforcement team, warned that "the 72 hours isn't just to email or phone us" with a heads-up about a breach, but rather to provide a report to the ICO including a number of details it specifies on its website
Regulator Seeks Urgent Clarifications
Already, Ireland's DPC has signaled via Twitter that it finds Facebook's data breach report incomplete. "The DPC is concerned that this breach was discovered on Tuesday and affects millions of users," it says. "At present, Facebook is unable to clarify the nature of the breach and risk to users. We are pressing Facebook to urgently clarify these matters."
Facebook data breach. The DPC is concerned that this breach was discovered on Tuesday & affects millions of users. At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters. #dataprotection— Data Protection Commission Ireland (@DPCIreland) September 28, 2018
Later on Monday, Facebook said that it was working to provide additional details as quickly as possible.
We're working with regulators including the Irish Data Protection Commission to share preliminary data about Friday's security issue. As we work to confirm the location of those potentially affected, we plan to release further info soon. https://t.co/Cs1uSMtBNk— Facebook (@facebook) October 1, 2018
Steep Potential Fines
Any organization that fails to alert authorities to a breach in a timely manner, as well as to provide required information, can find itself at the receiving end of stiff fines.
Organizations that fail to comply with GDPR can face fines of up to 4 percent of an organization's annual global revenue or €20 million ($23 million), whichever is greater. Separately, organizations that fail to comply with GDPR's reporting requirements also face fines of up to €10 million ($12 million) or 2 percent of annual global revenue.
In 2017, Facebook's annual global revenue was $40.7 billion, meaning that if it was found to have violated both GDPR and the reporting requirements, it would face a theoretical maximum $2.4 billion fine.
But regulators have indicated that the maximum fines would likely be reserved for organizations that attempted to cover up a breach, or those that had inexcusable information security practices and procedures in place (see Equifax Hit With Maximum UK Privacy Fine After Mega-Breach).
At Risk: Facebook Social Login
Meanwhile, the breach also puts at risk anyone who ever used Facebook social login, a feature that allows users who are logged into Facebook to automatically log into other sites.
Behind the scenes, Facebook generates an access token, allowing for the single sign-on behavior, which it can also share with any other sites designated by a user, to automatically log them into that site as well.
"In line with GDPR, those external systems and apps also need to notify Data Protection Authorities in case of a suspected breach," Lukasz Olejnik, an independent cybersecurity and privacy researcher, says via Twitter.
In line with #GDPR, those external systems and apps also need to notify Data Protection Authorities in case of a suspected breach. A breach should be suspected. Potentially huge. https://t.co/yaDSsBbQ70— Lukasz Olejnik (@lukOlejnik) September 29, 2018
He adds that these external services - including Tinder, Facebook's own Instagram and many others - should assume they have been breached until proven otherwise.
Class Action Lawsuits
Facebook also faces class action lawsuits over the breach.
On Friday, attorneys in the U.S. filed a class action lawsuit in the Northern District of California tied to the breach. Facebook also faces potential class action lawsuits in Europe, which could seek compensation not just for direct damages, but also indirect damages (see GDPR: Data Breach Class Action Lawsuits Come to Europe).
Breach Reports Escalate
While the scale of Facebook's data breach is massive, it continues an ongoing trend being seen across Europe: More organizations are reporting more breaches to DPAs.
In July, the ICO reported that the number of reports of data breaches that it was receiving had quadrupled after GDPR went into full effect.
On Tuesday, a report from the Commission nationale de l'information et des libertés, or CNIL, which is France's DPA, says that since May 25, it has received more than 600 data breach notifications - averaging seven per day - involving about 15 million people's personal data.
Information security experts caution that the increase in breach reports does not necessarily mean that there has been an increase in the quantity of breaches hitting European organizations.
"Since the GDPR was introduced in May, what we are seeing is an increase in the reporting of the breaches that are happening," Brian Honan, who heads Dublin-based cybersecurity firm BH Consulting, has told Information Security Media Group. "So there is not necessarily an increase in the number of breaches since May 25, but rather we now have better visibility on data breaches."
Privacy Complaints Increase
Europeans who believe that their personal data has been misused have also been filing a record number of complaints with privacy authorities.
In the four months since GDPR enforcement began on May 25, France's CNIL says that it has received 3,767 complaints about organizations' data privacy practices, compared with the 2,294 complaints that it received over the same four-month period in 2017, which was already a record year. "This represents an increase of 64 percent and reflects the fact that citizens have strongly seized on GDPR," CNIL says. "This is undoubtedly due to a recent media spotlight on data protection" that it notes is being driven not only by GDPR but also Facebook's Cambridge Analytica scandal.
This story has been updated with additional details from Facebook.