Facebook data breach probe launched by Irish watchdog

Facebook Facebook data breach probe launched by Irish watchdog Facebook data breach probe launched by Irish watchdog be313a8c69Image copyrightGetty Images/Facebook
Image caption The Irish Data Commission will decide whether the EU should penalise Facebook rather than there being country-by-country reviews

The Irish Data Protection Commission has formally begun an investigation into Facebook’s recent data breach.

It will now decide whether the firm should be fined for failing to prevent hackers from being able to access up to 50 million users’ accounts.

Earlier this year, the social network picked the regulator to be its “one-stop shop” for oversight of its compliance with EU privacy rules.

In theory, the watchdog can fine the US firm up to 4% of its global turnover.

Skip Twitter post by @DPCIreland

Investigation commenced into Facebook data breach. @DPCIreland statement beneath. #dataprotection#GDPR#eudatappic.twitter.com/7eHKUigTq5

— Data Protection Commission Ireland (@DPCIreland) October 3, 2018

End of Twitter post by @DPCIreland

Earlier, Facebook had declared that third-party apps and services which let users log in using their accounts had not appeared to have been compromised in the security attack.

Tinder and Airbnb are among those which accept Facebook log-ins as an alternative to creating an account.

Initially Facebook had suggested it was possible platforms such as these could also have been compromised.

The firm’s former security chief said this was a consequence of having to report a breach at an early stage of the investigation.

The breach was announced on Friday 28 September, one day after Facebook notified the Irish data regulator, but with many unanswered questions .

Alex Stamos, who left his post as the firm’s chief security officer in August, tweeted that new European privacy laws mean that firms must report data breaches before they know full details themselves.

The General Data Protection Regulation (GDPR) legislation, introduced in May 2018, states that a firm must report any security breach within 72 hours.

Image Copyright @alexstamos@alexstamos
Twitter post by @alexstamos: Interesting impact of the GDPR 72-hour deadline companies announcing breaches before investigations are complete.1) Announce & cop to max possible impacted users.2) Everybody is confused on actual impact, lots of rumors.3) A month later truth is included in official filing.  Facebook data breach probe launched by Irish watchdog Facebook data breach probe launched by Irish watchdog c43a31dfc6Image Copyright @alexstamos@alexstamos

“You can do incident response quickly or not correctly, but not both!” he wrote.

However, some people responding argued that the public had a right to know sooner rather than later.

“The 72-hour notification brings the customer needs to the forefront, rather than shareholder value,” tweeted James.

Image Copyright @jamgia@jamgia
Twitter post by @jamgia: If I was in charge of #IncidentResponse I would want more time. But normally I'm the customer (or victim) - and I'd like to know asap, so I know what data/credentials etc are at risk. The 72hr notification brings the customer needs to the forefront, rather than shareholder value. Facebook data breach probe launched by Irish watchdog Facebook data breach probe launched by Irish watchdog 3839eab0e0Image Copyright @jamgia@jamgia

The background

Up to 50 million Facebook accounts are believed to have been left exposed in the breach, announced last week.

An additional 40 million users were also logged out as a precautionary measure.

The issue, which was based on a weakness in a feature allowing Facebook members to view how their profile appeared to others, has now been fixed.

In a blog publicising the latest information on the attack, Guy Rosen, vice-president of product management, wrote that there was no evidence “so far” that attackers had accessed any apps using Facebook log-ins.

The breach was a result of a change made by Facebook in July 2017.

It is not yet known whether the hack affected its corporate chat app, Workplace.

The firm has no evidence yet to suggest that it has, reports Reuters.

Original Source