Facebook's 'View As' breach triggers EU-wide probe

8 October 2018 8:49am

2 October 2018. By Vesela Gladicheva

Facebook's latest security failure is the first high-profile breach to result in a EU-wide investigation under the bloc's new privacy rules, led by the Irish regulator with input from Paris, Madrid, Warsaw, Rome, Athens, London and possibly more national watchdogs concerned by the potential infringement.

The Polish privacy regulator said today that is taking part in the Irish Data Protection Commission's investigation under the General Data Protection Regulation. The French, Spanish, Italian, Greek and UK regulators told MLex that they’re also participating, because their citizens might be among the owners of the 50 million affected accounts.

On Friday, Facebook said it had discovered an intrusion in which attackers exploited a vulnerability in the "View As" feature, which allows users to see what their profile looks like to other users of the social network. The intrusion allowed the hackers to steal Facebook access tokens, which they could then use to take over people’s accounts.

The Irish enforcer has said it believes that EU users owned less than 10 percent of these 50 million accounts. Other national regulators said they are working with Dublin to determine the impact on their own citizens.

Under the GDPR, which took effect in May, privacy breaches by companies operating in several EU countries are handled by the data-protection regulator in the state where the company has its EU headquarters — in this case, Ireland. But that regulator must cooperate closely with authorities in other jurisdictions affected by the violations.

If the "lead" and "concerned" regulators disagree on the outcome of the investigation, the case would escalate to the European Data Protection Board, an EU-level group of privacy authorities with the power to issue a decision binding on the "lead" regulator and privacy infringer.

Facebook could be fined up to 4 percent of its annual global turnover under the GDPR’s maximum penalties — a cool $1.6 billion.

The company is also facing investigations in Australia, Brazil, Malaysia and the Philippines.

Global Privacy in 2018