Irish data chief weighs debut investigation into Facebook breach
With five million Irish and European users hit by an attack which could have put 50 million accounts at risk, the social media giant faces a massive fine under new EU rules, writes Adrian Weckler
The Irish Data Protection Commission is likely to initiate a formal investigation into how Facebook fell victim to a massive data breach affecting up to five million Irish and European users.
The regulatory body is at the centre of worldwide attention after Facebook revealed that 50 million accounts were at risk from hackers.
Under the EU's new GDPR rules, Facebook faces a fine of almost €1.5bn in a worst-case scenario.
"Before we would launch any investigation there are steps that would have to be taken in relation to information gathering and preparing the scope of an inquiry," a spokesman for the data protection commissioner said.
"Furthermore, we would need to establish under which provisions of the Data Protection Act 2018 we would conduct it. We are currently engaged in those steps."
However, the watchdog is under public pressure to investigate the social media giant from a range of authorities, including EU commissioners.
Irish DPC executives are understood to be disappointed with the sparse level of information disclosed by Facebook to data protection authorities about the breach, with the organisation earlier tweeting that it had "urgently" sought more data on the issue.
The Facebook data breach represents the first major test of data privacy enforcement since the EU-wide GDPR law came into effect in May of this year.
The EU's justice commissioner, Vera Jourova, told American media that she was in "close contact" with Commissioner Helen Dixon's office and said that the Irish DPC is "intensively working on this case".
"For these cases, I think Europe is equipped with GDPR because we have very strict rules and we have very strong instruments to discipline the companies which deal and which handle the private data of people, which is obviously the case with Facebook," she told the US broadcaster CNBC. "We are waiting for further information over the next days."
However, some security experts have questioned the rapid speed at which Facebook and other big companies are now expected to communicate details about their data breaches.
"[One] interesting impact of the GDPR 72-hour deadline [is] companies announcing breaches before investigations are complete," said former Facebook and Yahoo security chief Alex Stamos.
Stamos claimed that the haste required in informing regulators results in "lots of rumours" and means that "everybody is confused on the actual impact".
"You can do incident response quickly or correctly, but not both," he said.
"The other interesting impact is the foreclosing of any possible coordination with law enforcement.
"I once ran response for a breach of a financial institution, which wasn't disclosed for months as the company was working with the USSS [United States Secret Service] to lure the attackers into a trap. It worked."
Facebook's vice-president of product management, Guy Rosen, said that the company does not know who is responsible for the data breach.
"Since we've only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don't know who's behind these attacks or where they're based," he said.
"This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted 'View As'. The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."
Facebook faces other potential roadbumps across Europe in the coming months.
Earlier this week, the head of Germany's antitrust watchdog said that he was "very optimistic" that his office would take action against Facebook this year after finding it had abused its market dominance to gather data on people without their consent.
"We are currently evaluating Facebook's opinion on our preliminary assessment and I'm very optimistic that we are going to take further steps, even this year, whatever this would mean," Federal Cartel Office President Andreas Mundt told a conference on competition law in Berlin.
Facebook has had a difficult year, having endured a barrage of criticism for the ease at which its data could be manipulated for political ends. CEO Mark Zuckerberg was forced to appear before the US Senate and House of Representatives following the Cambridge Analytica scandal.
The issue of data breaches is to be explored in Information Sec 2018, Ireland's cybersecurity Conference. The conference is an Independent News & Media event. For tickets and more information, see independent.ie/infosec18