Facebook could face $1.63bn fine under GDPR over latest data breach

Facebook was fined £500,000 under the Data Protection Act for the Cambridge Analytica scandal but may not get away so lightly this time.
Written by Charlie Osborne, Contributing Writer

Facebook could face potentially billions in fines under GDPR for the latest data breach which impacted roughly 50 million accounts.

The security incident, revealed last week, was caused by a vulnerability in Facebook's code which permitted attackers to steal access tokens.

Access tokens are used to keep Facebook users logged in when they switch over to a public profile view via the "View As" feature.

The breach was detected on September 25. The vulnerability, comprising of three separate bugs, has been resolved and the access tokens of affected users have been reset, alongside an additional 40 million users that were subject to a "View As" lookup over the past 12 months.

See also: Facebook discloses network breach affecting 50 million user accounts | Facebook says it detected security breach after traffic spike

It took mere hours before class-action lawsuits were filed against Facebook for failing to protect user data. It seems that it took only a little longer for regulators to become involved.

According to the Data Protection Commission (DPC) for Ireland, the number of affected accounts involved in the latest security incident relating to EU citizens is less than 10 percent of the total 50 million users impacted.


This works out to roughly five million users, which is still a huge number of people who may have had their data accessed or stolen.

Facebook said in response:

"We're working with regulators including the Irish Data Protection Commission to share preliminary data about Friday's security issue.

As we work to confirm the location of those potentially affected, we plan to release further info soon."

Under the Data Protection Act 1998, Facebook was fined £500,000 by the UK's Information Commissioner's Office (ICO) for permitting the data-harvesting antics of Cambridge Analytica, leading to the improper sharing of data belonging to 87 million Facebook users in the UK, US, and beyond.

TechRepublic: Facebook data privacy scandal: A cheat sheet

The old privacy laws which once held sway in Europe permitted a maximum fine of £500,000, and this was the same amount that Equifax was fined over a data breach which compromised data belonging to 15 million UK citizens.

However, now businesses in the EU are held accountable under the General Data Protection Regulation (GDPR), which came into effect May 25, the potential financial ramifications could be far more serious.

CNET: Facebook's Asia team moves to gigantic new headquarters in Singapore

The UK has already issued its first GDPR notice against AggregateIQ Data Services (AIQ), which has been connected to the Facebook-Cambridge Analytica data scandal.

If Facebook is found to be in breach of GDPR for failing to adequately protect user data over this incident, the company faces a fine of up to €20 million or 4 percent of annual global turnover -- and as the fine applies to whichever is higher, the social networking giant could find itself forking out far more.

Based on Facebook's financial results for the last fiscal year, the fine could be up to $1.63 billion.

In the firm's Q2 2018 financial results, Facebook reported net income of $5.1 billion and non-GAAP earnings of $1.74 per share on revenue of $13.23 billion.

The data breach is not the only headache Facebook recently had to cope with. The company has also faced criticism over its use of phone numbers given by users in the interest of security for targeted advertising.

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards