Facebook could face massive fine as EU prepares inquiry over account breach
0 Mark Zuckerberg is the founder of Facebook The EU is preparing to investigate Facebook over a data breach that saw 50 million accounts compromised, nearly five million of which are believed to be European users.
Investigators at the Irish Data Protection Commission (IDPC) – the lead supervisory authority for Facebook in the EU – are gathering information and establishing the basis for an inquiry under the General Data Protection Regulation introduced this year.
If it is found to have broken the guidelines, the social media giant could face a maximum fine of £1.26 billion or 4 per cent of annual revenue.
Graham Doyle, head of communications at the IDPC, said: “Before we would launch any investigation there are steps that would have to be taken in relation to information gathering and preparing the scope of an inquiry. Furthermore we would need to establish under which provisions of the Data Protection Act 2018 we would conduct it. We are currently engaged in those steps.” Facebook, which was founded by Mark Zuckerberg, confirmed on Monday it was working with the IDPC to “share preliminary data” about the breach. Mr Doyle added: “Facebook issued a blog on Friday indicating that 50 million accounts were potentially affected by a security issue. We understand that the number of EU accounts potentially affected is less than 10 per cent of that.
“Facebook has assured us that they will be in a position to provide a further breakdown in relation to more detailed numbers soon.”
The social media giant, which has more than 2 billion users worldwide, had announced engineers discovered a “security issue” that allowed hackers to easily collect access tokens from 50 million accounts. The tokens work as digital keys, letting those who hold them log into Facebook accounts without entering a password.
Facebook vice-president of product management Guy Rosen said the affected tokens had been reset. But experts have since warned the same digital keys could have been used to log into any third-party services.