Face­book data breach

Irish Independent - Business Week - - FRONT PAGE -

Ir­ish data chief sets sights on first in­ves­ti­ga­tion into hack­ing of 50 mil­lion ac­counts

With five mil­lion Ir­ish and Euro­pean users hit by an at­tack which could have put 50 mil­lion ac­counts at risk, the so­cial me­dia gi­ant faces a mas­sive fine un­der new EU rules, writes Adrian Weck­ler

THE Ir­ish Data Pro­tec­tion Com­mis­sion is likely to ini­ti­ate a for­mal in­ves­ti­ga­tion into how Face­book fell vic­tim to a mas­sive data breach af­fect­ing up to five mil­lion Ir­ish and Euro­pean users. The reg­u­la­tory body is at the cen­tre of world­wide at­ten­tion af­ter Face­book re­vealed that 50 mil­lion ac­counts were at risk from hack­ers.

Un­der the EU’s new GDPR rules, Face­book faces a fine of al­most €1.5bn in a worst-case sce­nario.

“Be­fore we would launch any in­ves­ti­ga­tion there are steps that would have to be taken in re­la­tion to in­for­ma­tion gather­ing and pre­par­ing the scope of an in­quiry,” a spokesman for the data pro­tec­tion com­mis­sioner said.

“Fur­ther­more, we would need to es­tab­lish un­der which pro­vi­sions of the Data Pro­tec­tion Act 2018 we would con­duct it. We are cur­rently en­gaged in those steps.”

How­ever, the watch­dog is un­der pub­lic pres­sure to in­ves­ti­gate the so­cial me­dia gi­ant from a range of author­i­ties, in­clud­ing EU com­mis­sion­ers.

Ir­ish DPC ex­ec­u­tives are un­der­stood to be dis­ap­pointed with the sparse level of in­for­ma­tion dis­closed by Face­book to data pro­tec­tion author­i­ties about the breach, with the or­gan­i­sa­tion ear­lier tweet­ing that it had “ur­gently” sought more data on the is­sue.

The Face­book data breach rep­re­sents the first ma­jor test of data pri­vacy en­force­ment since the EU-wide GDPR law came into ef­fect in May of this year.

The EU’s jus­tice com­mis­sioner, Vera Jourova, told Amer­i­can me­dia that she was in “close con­tact” with Com­mis­sioner He­len Dixon’s of­fice and said that the Ir­ish DPC is “in­ten­sively work­ing on this case”.

“For these cases, I think Europe is equipped with GDPR be­cause we have very strict rules and we have very strong in­stru­ments to dis­ci­pline the com­pa­nies which deal and which han­dle the pri­vate data of peo­ple, which is ob­vi­ously the case with Face­book,” she told the US broad­caster CNBC. “We are wait­ing for fur­ther in­for­ma­tion over the next days.”

How­ever, some se­cu­rity ex­perts have ques­tioned the rapid speed at which Face­book and other big com­pa­nies are now ex­pected to com­mu­ni­cate de­tails about their data breaches.

“[One] in­ter­est­ing im­pact of the GDPR 72-hour dead­line [is] com­pa­nies an­nounc­ing breaches be­fore in­ves­ti­ga­tions are com­plete,” said for­mer Face­book and Ya­hoo se­cu­rity chief Alex Sta­mos.

Sta­mos claimed that the haste re­quired in in­form­ing reg­u­la­tors re­sults in “lots of ru­mours” and means that “ev­ery­body is con­fused on the ac­tual im­pact”.

“You can do in­ci­dent re­sponse quickly or cor­rectly, but not both,” he said.

“The other in­ter­est­ing im­pact is the fore­clos­ing of any pos­si­ble co­or­di­na­tion with law en­force­ment.

“I once ran re­sponse for a breach of a fi­nan­cial in­sti­tu­tion, which wasn’t dis­closed for months as the com­pany was work­ing with the USSS [United States Se­cret Ser­vice] to lure the at­tack­ers into a trap. It worked.”

Face­book’s vice-pres­i­dent of prod­uct man­age­ment, Guy Rosen, said that the com­pany does not know who is re­spon­si­ble for the data breach.

“Since we’ve only just started our in­ves­ti­ga­tion, we have yet to de­ter­mine whether these ac­counts were mis­used or any in­for­ma­tion ac­cessed. We also don’t know who’s be­hind these at­tacks or where they’re based,” he said.

“This at­tack ex­ploited the com­plex in­ter­ac­tion of mul­ti­ple is­sues in our code. It stemmed from a change we made to our video up­load­ing fea­ture in July 2017, which im­pacted ‘View As’. The at­tack­ers not only needed to find this vul­ner­a­bil­ity and use it to get an ac­cess to­ken, they then had to pivot from that ac­count to oth­ers to steal more to­kens.”

Face­book faces other po­ten­tial road­bumps across Europe in the com­ing months.

Ear­lier this week, the head of Ger­many’s an­titrust watch­dog said that he was “very op­ti­mistic” that his of­fice would take ac­tion against Face­book this year af­ter find­ing it had abused its mar­ket dom­i­nance to gather data on peo­ple without their con­sent.

“We are cur­rently eval­u­at­ing Face­book’s opin­ion on our pre­lim­i­nary as­sess­ment and I’m very op­ti­mistic that we are go­ing to take fur­ther steps, even this year, what­ever this would mean,” Fed­eral Car­tel Of­fice Pres­i­dent An­dreas Mundt told a con­fer­ence on com­pe­ti­tion law in Ber­lin.

Face­book has had a dif­fi­cult year, hav­ing en­dured a bar­rage of crit­i­cism for the ease at which its data could be ma­nip­u­lated for po­lit­i­cal ends. CEO Mark Zucker­berg was forced to ap­pear be­fore the US Se­nate and House of Rep­re­sen­ta­tives fol­low­ing the Cam­bridge An­a­lyt­ica scan­dal.

Con­tact: The

EU’s jus­tice com­mis­sioner, Vera Jourova (in­set left), said she was in ‘close con­tact’ with Ir­ish Data Pro­tec­tion Com­mis­sioner He­len Dixon

The is­sue of data breaches is to be ex­plored in In­for­ma­tion Sec 2018, Ire­land’s cy­ber­se­cu­rity Con­fer­ence. The con­fer­ence is an In­de­pen­dent News & Me­dia event. For tick­ets and more in­for­ma­tion, see in­de­pen­dent.ie/ in­fosec18

Newspapers in English

Newspapers from Ireland

© PressReader. All rights reserved.