On Tuesday, 25 September, Facebook discovered a major data breach that gave criminal hackers the ability to take over user accounts.
50 million Facebook users worldwide may be impacted by the breach, including about 5 million European accounts.
The Irish DPC (Data Protection Commission) has opened a formal investigation, which could result in Facebook being fined up to $1.63 billion (about €1.41 billion).
In a statement on Wednesday, 3 October, the DPC said: “The investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it processes.”
Facebook has confirmed it has been in contact with the DPC. The Commission noted that Facebook informed the DPC that its internal investigation was continuing and that it was taking “remedial actions to mitigate the potential risk to users”.
The Spanish Data Protection Agency announced it would collaborate with the DPC investigation to protect the rights of Spanish citizens.
The breach is believed to be the largest in Facebook’s history – and possibly the most serious, given that criminal hackers stole access tokens that allowed them to take full control over users’ accounts, including logging in to third-party applications.
Facebook was “unable to clarify the nature of the breach and risk to users” at that point, the DPC said, adding that it was pushing the organisation to “urgently clarify these matters”.
Is your organisation prepared for a cyber-attack?
One of those measures should be regular penetration tests. This involves a professional tester, working on behalf of an organisation, looking for network and application vulnerabilities in the same way a criminal hacker would.
Identifying and addressing vulnerabilities, ideally before releasing the product being tested, means organisations can avoid having to patch software and, more importantly, prevent a cyber criminal from discovering the vulnerability.
IT Governance is a CREST-accredited provider of penetration tests. We offer a range of services to help organisations of all sizes manage their cyber security strategies.