As security experts continue to assess the scope and impact of a Facebook data breach affecting nearly 50 million accounts, the social media giant reportedly could be assessed a financial penalty of as much as $1.63 billion for violating Europe's GDPR regulations.
The Wall Street Journal arrived at this figure by calculating four percent of Facebook's global annual revenue from the prior year -- which is the maximum fine European regulators can hand down for GDPR infractions. (Alternatively, companies can be levied a maximum flat fine of €20 million.)
The WSJ also reported that Ireland’s Data Protection Commission, acting on behalf of the European Union, said on Saturday it is demanding more information from Facebook about the breach, including which EU residents might be affected. Should regulators find that Facebook acted insufficiently to secure the breached data, punitive actions could eventually follow.
"From a legal point of view, this incident may become a notorious milestone of GDPR enforcement by the EU regulators. A multi-million fine is not that impossible under the integrity of circumstances," said Ilia Kolochenko, CEO and founder of High-Tech Bridge, said in emailed comments. "As for the U.S., a class action and individual lawsuits can cause a lot of trouble for Facebook, potentially with even higher penalties or settlements, exacerbated by legal costs and a jeopardized public image."
Indeed, attorneys representing plaintiffs from California and Virginia have already filed a class-action lawsuit against Facebook in a Northern California federal District Count.
In a security update posted last Friday, Facebook VP of Product Management Guy Rosen disclosed that attackers had recently exploited a trio of vulnerabilities related to the platform's "View As" feature, in order to expose and steal HTML-based access tokens that could be used to hijack people's accounts. In response, Facebook fixed the bugs and also reset the access tokens for roughly 90 million of its users.
But later, in an ensuing conference call with reporters, Rosen also acknowledged the breach could have even greater implications, as it potentially impacted the security of various third-party apps and services that allow customers to log on using their Facebook credentials.
"The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account holder themselves," said Rosen. "This does mean they could have accessed other third-party apps that were using Facebook login," up until the point at which the tokens were reset, he added.
Rosen said it was too early to confirm if user accounts on any third-party apps were accessed or compromised.
In an update to the company's security advisory, Pedro Canahuati, VP of engineering, security and privacy explained that the problem stepped from the accidental inclusion of a video uploader tool when using the "View As" product to see how your web page looks to other people. The latest version of this uploader tool, created in July 2017, incorrectly generated an access token -- and what's worse, this token was not granted for the viewers themselves, but for the users they were looking up through the "View As" tool.
Satya Gupta, CTO and co-founder of Virsec, said that the 'View As' feature "was clearly built without thinking through security… Armed with someone else’s access token you can get to lots of private and highly privileged information. In addition, millions of people use their Facebook ID… to connect to other services where they might be storing files, making purchases, or doing other things that they thought were private. Facebook claims to not know what these 50 million access tokens are being used for, [but] you can bet that the thieves have found them to be very valuable."
In the meantime, the true severity of the breach will likely not be known until Facebook sheds more light on the incident, including what kinds of data were compromised.
"The access tokens that were compromised would typically be limited to particular aspects of data within a user's account -- for example, just their location, age, or photos. This approach follows the security best practice approach of only granting the least privileges required for a particular action. Therefore, it may be the case that... only a limited amount of data was exposed from other user's profiles," speculated William Knowles, security consultant at MWR, an F-Secure company. "However, it could equally be the opposite, and users will be unable to determine the extent to which they were affected until confirmed by Facebook.”