Facebook’s stunning disclosure of a massive hack on Friday in which attackers gained access tokens to at least 50 million accounts – bypassing all security measures and potentially giving them full control of both profiles and linked apps – has already stirred threats of a $1.63 billion dollar fine in the European Union, according to the Wall Street Journal.
The bug, which exploited flaws in the site’s “View As” and video uploader feature to gain access to the accounts, forced Facebook to reset access tokens for 50 million users and reset those for 40 million others as a precaution. (That means if you were logged out of your devices, you were affected.) Facebook has not said whether the attackers attempted to extract data from the affected profiles, but vice president of product management Guy Rosen told reporters they had attempted to harvest private information from Facebook’s systems, according to the New York Times. Rosen also said Facebook was unable to determine the extent to which third-party apps could have been compromised.
The idea that facebook "doesnt know what information people have accessed" is disingenuous. FULL ACCOUNT ACCESS means they could do literally everything you do on Facebook.
– rat king (@MikeIsaac) September 28, 2018
It remains unclear whether the attackers could have gained access to the most sensitive information stored on the network like direct messages. Facebook has said the attack was highly sophisticated, their response is in its early stages, and they may never know who was behind it. When Gizmodo reached out for more details this weekend, a Facebook representative directed us to their prior statements on the attack, which contain only the details previously available.
I asked Facebook how sophisticated the hackers were and whether this could be nation-state activity. Rosen says attack was "complex" and leveraged three multiple bugs that interacted together. "We may never know" the identity of the hackers, Rosen adds.
– Dustin Volz (@dnvolz) September 28, 2018
A) Nation states do not always use more sophisticated TTPs than criminal organizations.
2) Nation states do not always have more sophisticated TTPs than criminal organizations.
3) Nation states aren’t necessarily afraid to contact the services of criminal organizations.
– Lesley Carhart (@hacks4pancakes) September 28, 2018
According to the Journal, the European Union’s top privacy watchdog for Facebook, Ireland’s Data Protection Commission, is also struggling to learn information about what exactly happened:
Ireland’s Data Protection Commission, which is Facebook’s lead privacy regulator in Europe, said Saturday that it has demanded more information from the company about the nature and scale of the breach, including which EU residents might be affected.
In an emailed statement, the regulator said it is “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”
The Journal wrote that the breach may trigger the maximum fines possible under Europe’s recently enacted General Data Privacy Regulation, which is four percent of a firm’s global revenue for the prior year. That would be £1.25 billion:
Under GDPR, companies that don’t do enough to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Facebook’s maximum fine would be $1.63 billion using the larger calculation.
The law also requires companies to notify regulators of breaches within 72 hours, under threat of a maximum fine of 2% of world-wide revenue.
As the Journal noted, European regulators have not used the GDPR to levy fines yet and it remains to be seen whether they would apply the maximum penalty or any at all, especially if they determine Facebook “took appropriate steps to safeguard its users’ data before the hack” and “has cooperated or been in at least partial compliance.” However, the GDPR contains recommendations that companies store as little user data as necessary, potentially exposing Facebook to higher liability. The European Commission also recently demanded Facebook better disclose to users “how their data is being used or face consumer-protection sanctions in several countries,” the paper added.
In the U.S., where no equivalent to the GDPR exists, the possibility of such a fine for this incident is more remote. Facebook is still facing a Federal Trade Commission investigation into whether several data breaches including the Cambridge Analytica scandal and a data-scraping incident that affected most of its 2.2 billion users violated a 2011 consent decree on user privacy, which could result in record fines of over a billion dollars. It’s unclear what role the current debacle could play in that investigation, but the FTC’s chief, Rohit Chopra, tweeted “I want answers.”
I want answers. https://t.co/kZSttt4fmF
– Rohit Chopra (@chopraftc) September 28, 2018
Facebook is also facing unprecedented pressure from both high-profile conservatives angry about unfounded claims that West Coast-based tech companies regularly censor them. Simultaneously, it still facing pressure from privacy advocates furious about prior privacy breaches and recently saw the departure of the founders of subsidiaries Instagram and Whatsapp amid reports of power struggles with their owner. Facebook’s stock precipitously dropped in July amid flagging growth numbers and has not recovered. It would be disingenuous to pretend that the concerns driving the backlash against Facebook are totally bipartisan, but the network has tread well into dangerous territory – and if it turns out attackers gained access to and misused sensitive user data, it could get much worse, quickly.
Facebook began notifying users over the weekend of the breach, but it sent it out in the form of a notice posted at the top of news feeds titled “An Important Security Update” containing the same information sent to reporters. Presumably the social media giant will begin releasing more information about the breach soon, but the radio silence throughout the weekend indicates that it is either still in the process of gathering that data or is deciding how to disclose it. [Wall Street Journal]
Featured image: Richard Drew (AP)