Facebook is racing to provide more information to European regulators about a major security breach affecting an estimated 50 million user accounts, with the threat of major GDPR fines hanging over the firm.
The social network’s lead supervisory authority in the region, the Irish Data Protection Commission (DPC), tweeted an update on Sunday that it is “awaiting from Facebook further urgent details of the security breach impacting some 50m users, including details of EU users which have been affected, so that we can properly assess the nature of the breach and risk to users.”
This follows a statement posted to Twitter on Friday that it was pressing Facebook to “urgently clarify” the nature of the incident and risk to customers.
Facebook replied, saying it is "co-operating fully" and will share more information "as soon as we have it."
The UK’s privacy watchdog, instrumental in the creation of the GDPR, is also pressing the firm.
“It’s always the company’s responsibility to identify when UK citizens have been affected as part of a data breach and take steps to reduce any harm to consumers,” said ICO deputy commissioner of operations, James Dipple-Johnstone.
"We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”
Although Facebook acted swiftly on Thursday to address the three vulnerabilities in its video uploader which hackers exploited to grab account access tokens, the bugs themselves had been left undiscovered since a July 2017 update introduced them.
With those tokens, hackers could not only access users’ Facebook accounts but also theoretically any other related app they’ve used Facebook to log-in via.
Hyperbolic headlines in many major media titles have shouted about possible fines of over $1bn for the social network, but the firm seems to be taking the right approach to incident response, according to experts.
“Following the identification of the breach, Facebook were quick to address the vulnerability, take steps to minimize the risk of further user data compromise and inform the relevant authorities,” said Hitesh Kargathra, lead security consultant at Falanx Group.
“I would expect Facebook to publish further details of the breach following a more in-depth assessment, including how long user accounts were compromised prior to the identification of the breach, the impact of the breach on users and what steps have been taken to protect user privacy in the event of future breaches of the social media platform.”
The FBI has also been called in to investigate, with some suspecting the exploitation of three vulnerabilities in a relatively sophisticated attack smacks of state-sponsored interference.
“In order to bypass Facebook’s security controls without raising alarm bells, this attack would have had to be complex, sophisticated, and stealthy. Complex attacks have many moving parts that often appear as individual, subtle anomalies hiding within the noise of the network,” argued Darktrace APAC managing director, Sanjay Aurora.
“With upcoming elections around the corner, it would be remiss not to consider the possibility of nation-state actors with political motives.”
David Atkinson, founder of Senseon, also raised the possibility of state involvement.
“What I would conclude from this is that the attack was carried out by an advanced group or likely nation state, who have the resources to constantly sweep massive and therefore attractive targets, like Facebook to spot vulnerabilities,” he said.