Following the revelation that up to 50 million Facebook accounts may have been accessed in an attack due to a weakness in the platform’s code, many questions remain about the breach.
In theory Facebook could be fined if it is found to be in breach of GDPR, Europe’s data protection rules.
It has not revealed whether other services which people use their Facebook log-ins for – such as Tinder and Spotify – have also been affected.
Facebook has now fixed the issue.
People potentially affected were logged out of their accounts on Friday and those definitely affected were notified.
Facebook says it has identified 50 million accounts which were certainly involved in the breach, with an extra 40 million also warned as a precautionary measure.
The Irish Data Protection Commission says less than 10% of the 50 million are believed to be European accounts.
It is also unknown whether networks of friends were also affected, as their data would have been visible to anyone with access to an individual’s account.
Will Facebook be fined?
The Wall Street Journal reports that Facebook could face a fine of up to $1.63bn (£1.25bn) – 4% of its annual global turnover – which is the absolute maximum that could be imposed by the Irish Data Protection Commissioner if the firm is found to be in breach of Europe’s GDPR privacy legislation.
As Facebook Europe is based in Ireland, this is the authority it will deal with.
There are rules regarding the reporting of such a breach and so far Facebook has stuck to them.
An information breach is supposed to be reported within 72 hours of discovery and this is what Facebook appears to have done – it says it discovered the breach on Tuesday, notified the commissioner on Thursday and alerted the public on Friday after fixing the vulnerability.
The Information Commissioner says it recognises that firms may not have all the answers regarding an incident within 72 hours, and that information can be shared as it is discovered – and Facebook has admitted it is “at the very start” of its investigation.
Data protection adviser Jon Baines from the law firm Mishcon de Reya LLP told the BBC it was impossible to know how likely a fine is at this early stage.
“No matter how good an organisation’s response is to a personal data breach, it is what went before that will count against it,” he said.
“So, if Facebook is found not to have taken sufficiently robust measures [to prevent the vulnerability], it may be held to have infringed GDPR, even if its response since has been exemplary.”
Could it face legal action from its two billion members?
A class action lawsuit has already been filed in California by two Facebook users who claim the firm was negligent in allowing accounts to be compromised, reports Bloomberg.
It accuses Facebook of a “continuing and absolute disregard” in its treatment of account holders’ personal information.
Who did it?
Facebook said it doesn’t know who was behind the attacks or where they are based.
It also said it doesn’t know what – if any – personal information was accessed.
However it did acknowledge that the weakness in its code dates back to a change that was made in July 2017, meaning the accounts were vulnerable from that time.
While it was quite a complex process, it has been reported that there were videos on YouTube explaining how to hack the platform.
Are other platforms affected?
The BBC has asked Spotify and Tinder, both of which can be accessed via a Facebook log-in, whether their services have been affected as a result of the breach.
“It appears it could very well affect other platforms if you have used Facebook as your means of logging in,” said prof Alan Woodward, a cyber-security expert from Surrey University.
“Some password managers have been issuing warnings today to go change your passwords for that very reason.”
Prof Woodward advised creating individual log-ins for each service.