Facebook has revealed that its engineers have discovered, and addressed, a serious data breach on September 25, last Tuesday, which affected approximately 50m account holders. Impacted users have been sent a notification and automatically logged out of their accounts, meaning that they needed to log back in again to gain secure access.
Facebook shares, which were already down about 1.5% before the announcement, extended losses after the disclosure and ended down 2.6%. However the news may get worse for the social media giant as, under the newly-introduced General Data Protection Regulation, the European Union could impose a fine that would equate to 4% of Facebook’s annual global revenue – a figure that would currently amount to approximately €1.63bn.
Chairman, Chief Executive Office and Founder of Facebook Mark Zuckerberg said in a Facebook post last week: “On Tuesday, we discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook. We do not yet know whether these accounts were misused but we are continuing to look into this and will update when we learn more.”
He went on to say: “I’m glad we found this and fixed the vulnerability. But it definitely is an issue that this happened in the first place. I think this underscores the attacks that our community and our services face.”
This is the latest in a particularly turbulent time for Facebook in relation to the protection of its users’ private information and data. Earlier this year the group had to deal with the Cambridge Analytica scandal, when an external company was found to have shared personal data acquired without the expressed permission of those it related to. This breach took place before the introduction of GDPR. You can read more about that incident here.
Facebook have said that the hacker who carried out this cyber attack exposed three bugs that were added to the site’s “View As” feature in July 2017. “View as” allows users to see what their profile looks like to other Facebook users. Facebook said it addressed the bug on Thursday night and has notified the relevant law enforcement agencies including the FBI and the Irish Data Protection Commission in order to comply with General Data Protection Regulation (GDPR) requirements.
So far Facebook has been unable to identify the cyber attackers, or their location. Guy Rosen, Facebook’s Vice President of product, said on a call with reporters Friday: “We haven’t seen that the access tokens were used to access private messages, or posts, or post anything to the accounts. It’s important to say: The attackers could use the account as if they are the account holder. Our investigation is early and it’s hard to determine exactly who was behind this. We may never know.”
After Facebook made the announcement Friday revealing the data breach, Democratic Senator Mark Warner for Virginia – who is also the Vice Chairman of the Senate Intelligence Committee – called for a “full investigation” into the hacking incident. He said: “Today’s disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures. This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”