Facebook could be hit with a $1.63 billion GDPR fine

Sept. 25, Facebook suffered a security breach that gave hackers access to 50 million accounts, and now runs the risk of a crippling $1.63 billion fine for failing to protect its customers’ data. The EU’s GDPR (General Data Protection Regulation) stipulates that non-compliant organizations may be fined up to €20 million (around $23 million) or 4% of their global annual revenue, whichever is higher.  Facebook’s reported 2017 revenue was $40.7B.

Facebook’s CEO Mark Zuckerberg said: “Security is an arms race, and we’re continuing to improve our defenses”.

As required by the Regulation, Facebook reported the breach within 72 hours to its EU regulator, the Irish DPC (Data Protection Commission). Upon receiving the report, the DPC tweeted: “At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters.” The FBI was also notified and is investigating.

Guy Rosen, VP of product management, Facebook, said:

“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Concurrent to this attack, Facebook confirmed it was using shadow data for advertisements – something it had previously denied. But after an investigative story by Gizmodo, Facebook was forced to admit it. Last April, in testimony before the before U.S. Congress, Zuckerberg was unclear about how users can opt out of data sharing.

Use of shadow data is a violation of the GDPR. Under the Regulation, data subjects have the absolute right to reject their data being shared with advertisers. However, Facebook created shadow profiles to analyze accounts, recommend new contacts, and have targeted advertisements placed on users’ feeds. Furthermore, the phone numbers that users supply for security reasons were shared with advertisers. There may be a separate or expanded investigation for this violation.

GDPR compliance

Most social networking organizations process EU residents’ data, and therefore fall within the GDPR’s scope. They should already be complying with the Regulation by having appropriate technical and organizational measures – among other things – in place.

But if these – or other – organizations are not (fully) GDPR-compliant yet, or unsure whether they need to be in the first place, they needn’t worry. IT Governance USA offers a range of free resources to help organizations understand the Regulation, and recommends our next webinar: GDPR compliance and information security: reducing data breach risk.

Sign up for our webinar

This webinar will take place on October 23, 2018 at 1:00–2:00 pm (EDT). If you can’t make the presentation, it will be available to download from our website, where you can also  browse our previous webinars.

You can also preview our upcoming presentations, including the rest of our  GDPR series.

There will be four more presentations between now and the end of the year, each one covering a specific aspect of the Regulation.

Get started with your GDPR compliance project

Take our west cost course. Los Angeles residents can now take our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course in person on November 26, 9:00 a.m. 5:00 p.m. PST.  You will a comprehensive introduction to the GDPR and a practical understanding of the implications and legal requirements for U.S. organizations in this one-day introductory training course. Register now.