Irish DPC ‘concerned’ about Facebook data breach
Reaction to news Friday that up to 50 million Facebook users were compromised in a data breach rippled through the privacy world over the weekend, prompting comments from the Irish Data Protection Commission, the U.K. Information Commissioner’s Officer, Sens. Mark Warner, D-Va., and Ed Markey, D-Mass., as well as FTC Commissioner Rohit Chopra. A class-action lawsuit was also filed within hours of the announcement.
In a blog post responding to the data breach, Facebook said its “investigation is still in its early stages.”
Monday afternoon, the Irish DPC announced in a tweet that less than 10 percent of the 50 million affected were EU citizens.
UPDATE Facebook data breach – @DPCIreland understands that the number of potentially affected EU accounts is less than 10% of the 50 million accounts in total potentially affected by the security breach. DPC Ireland statement beneath. #dataprotection #GDPR #EUdataP pic.twitter.com/oSfGy6DP2S
— Data Protection Commission Ireland (@DPCIreland) October 1, 2018
The New York Times first reported the incident Friday afternoon after a conference call with Facebook CEO Mark Zuckerberg and VP of Product Management Guy Rosen. Zuckerberg said Facebook’s engineering team “found an attack” that “exploited a vulnerability in the code of the View As feature, which is a privacy feature that lets people see what their Facebook profile would look like to another person.” Attackers could then take Facebook access tokens, allowing them to fully take over a person’s Facebook account or accounts that let users login via the Facebook login.
During the call, Zuckerberg and Rosen confirmed the company had alerted the Irish DPC and the U.S. Federal Bureau of Investigation.
In a series of strongly worded tweets, the Irish DPC also confirmed it was alerted to the data breach — reportedly within the 72-hour breach notification limit as mandated by the EU General Data Protection Regulation — but added it “is awaiting from Facebook further urgent details of the security breach” and whether EU users were affected.
Facebook data breach. The DPC is concerned that this breach was discovered on Tuesday & affects millions of users. At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters. #dataprotection
— Data Protection Commission Ireland (@DPCIreland) September 28, 2018
.@DPCIreland is awaiting from Facebook further urgent details of the security breach impacting some 50m users, including details of EU users which have been affected, so that we can properly assess the nature of the breach and risk to users. #dataprotection #GDPR #eudatap https://t.co/3oM3BSaSBS
— Data Protection Commission Ireland (@DPCIreland) September 30, 2018
EU Justice Commissioner Vera Jourova also urged Facebook to “fully cooperate” with the Irish DPC, and European Commission Vice-President for the Digital Single Market Andrus Ansip used the occasion to call for more security design in software.
This incident again underlines the need for secure design of software and ICT systems.
— Andrus Ansip (@Ansip_EU) September 30, 2018
FTC Commissioner Rohit Chopra, who will be interviewed by the IAPP’s Angelique Carson at Privacy. Security. Risk. later this month, said he wants more details from the company.
I want answers. https://t.co/kZSttt4fmF
— Rohit Chopra (@chopraftc) September 28, 2018
In comments to The New York Times, Chopra went further, saying, “Breaches don’t just violate our privacy. They create an enormous risk for our economy and national security. … The cost of inaction is growing, and we need answers.”
At least two Democratic Senators urged an investigation into the incident as well. Warner, who recently published a policy paper outlining potential privacy regulation of social media companies, said the incident “is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.”
This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before – the era of the Wild West in social media is over. https://t.co/UFBZLMkFgi
— Mark Warner (@MarkWarner) September 28, 2018
And Sen. Ed Markey, who took part in last week’s Senate Commerce Committee hearing exploring consumer privacy and a potential U.S. privacy law, added:
50 million more reasons why we need federal privacy and data security regulations. This breach must be fully investigated and @Facebook must fully cooperate. No delays. No evasiveness. Full transparency.https://t.co/e1jPv2pRxy
— Ed Markey (@SenMarkey) September 28, 2018
However, while attention from U.S. policymakers may lead to ramifications, all eyes will likely turn to the European Union, where the GDPR’s consistency mechanism will truly be put to the test.
U.K. Information Commissioner’s Office Deputy Commissioner of Operations James Dipple-Johnstone said, “We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”
Though many more details remain unanswered, the breach is the first major one for Facebook since the GDPR went into effect last May. Last month, British Airways notified users of a breach affecting credit cards used on its website. The Wall Street Journal reports that Facebook could face a maximum $1.63 billion fine under the GDPR based on its global annual turnover, but it is not clear at this stage whether it violated the regulation or if any of the conditions for triggering the highest fine amount would be met.
In an emailed statement to the WSJ, the Irish DPC said it is “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”
The incident highlights the difficulty companies face under a 72-hour notification deadline. In order to notify relevant authorities within the window, all the facts of a given breach incident may not yet be known. It may also test what comprises sound data security. DLA Piper Partner Andrew Dyson told the WSJ that, “When you talk about a business like Facebook that has huge resources and a larger user base, that is inevitably going to be seen as a higher bar. The expectation is that they are going to be deploying a very significant amount of resources” on data security.
Sarah Pearce, head of the data privacy and cybersecurity practice at Paul Hastings, said of companies handling big data in general, “If you are a company that is processing personal data on a large scale, the level of risk is going to be seen as higher, so the level of security will have to be higher.”
In a second conference call later Friday, Facebook revealed the flaw affects other third parties as well. Any accounts that allow the user to log in through Facebook, called Single Sign On, could have been affected as well. In the second call, Rosen explained, “The access token enables someone to use the account as if they were the account holder themselves. This does mean they could access other third-party apps using Facebook login will be able to detect those access tokens have been reset.”
The complexity of the features and the size of Facebook itself demonstrates the difficulty in maintaining data security. Security researcher Jean Yang pointed out that the breach “happened as a result of an unpredicted interaction between features. It’s super hard to reason about security/privacy when you’re building software in such a decentralized way.”
The most interesting thing about this FB breach is that it happened as a result of an unpredicted interaction between features. It’s super hard to reason about security/privacy when you’re building software in such a decentralized way. This is the exact problem I’m working on rn! https://t.co/YoS4ueg6er
— Jean Yang (@jeanqasaur) September 30, 2018
The breach prompted Consumers Union, the advocacy division of Consumer Reports, to call for stronger data protection and breach notifications laws in the U.S. Director of Consumer Privacy and Technology Policy Justin Brookman said, “Existing consumer protection law provides few clear obligations for companies to safeguard sensitive data. And most state notification laws don’t cover social media accounts, so companies don’t have an obligation to tell you when your data has been exposed. Consumers deserve comprehensive data security and data breach notification laws that make protecting their personal information the top priority.”
To top things off, users trying to post news of the breach on Facebook — specifically links from The Guardian and the Associated Press — were not allowed to do so because the company’s automated systems detected them as spam.
— Jed Bracy (@JedBracy) September 28, 2018
In a tweet, the official Facebook account told NYTs reporter Kate Conger that its “automated systems incorrectly marked the two articles as spam. The issue has been resolved and articles can be shared now.”
Original Piece https://iapp.org/