Ireland’s DPC (Data Protection Commission) has launched a statutory inquiry into Facebook following the disclosure of a data breach affecting millions of users.
The social media giant announced in March that a routine security review at the beginning of the year found millions of user passwords stored in plain text on its internal servers. This meant that a total of 20,000 Facebook employees had access to these passwords.
Facebook estimated it would need to notify “hundreds of millions” of Facebook and Facebook Lite users about the breach. It later added that “millions” of Instagram users were also affected.
A Facebook spokesman said: “We are working with the Irish Data Protection Commissioner on their inquiry. There is no evidence that these internally stored passwords were abused or improperly accessed.”
Facebook’s statement also notes that the organisation protects passwords “In line with security best practices” by using a “scrypt” function and a cryptographic key, which essentially replaces users’ passwords with a random set of characters.
While Facebook says that users’ passwords weren’t abused by employees, it encourages users to change their Facebook and Instagram passwords and consider enabling two-factor authentication.
Further investigations underway
In addition to the DPC’s investigation, Facebook was hit with two more investigations on the same day.
The OPC (Office of the Privacy Commissioner of Canada) said Facebook broke its strict privacy laws during the Cambridge Analytica scandal last year.
Facebook disputed the OPC’s findings and refused to implement its recommendations, causing the OPC to consider bringing the organisation to federal court to force it to change its data privacy practices.
The other data breach investigation comes from New York Attorney General Letitia James regarding the “unauthorized collection of 1.5 million Facebook users’ email contact databases”.’.
James notes that “It is time Facebook is held accountable for how it handles consumers’ personal information.
“Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data. Facebook’s announcement that it harvested 1.5 million users’ email address books, potentially gaining access to contact information for hundreds of millions of individual consumers without their knowledge, is the latest demonstration that Facebook does not take seriously its role in protecting our personal information.”
Facebook inquiries mount up
These investigations are in addition to the DPC’s seven statutory inquiries into Facebook and three inquiries into WhatsApp and Instagram. The first inquiry is expected to conclude by summer 2019 and the remainder by the end of the year.
Organisations that violate the GDPR (General Data Protection Regulation), which came into force on 25 May 2018, can face fines of up to 4% of annual turnover or €20 million, whichever is greater. This could mean billions in fines for tech corporations such as Facebook.
Are you prepared for a data breach?
Ponemon Institute’s 2018 Cost of a Data Breach Study found that one in four organisations will suffer a data breach within the next two years.
As cyber attacks become easier to carry out, and the potential damage they cause becomes greater, organisations must improve their cyber defences by taking an integrated and intelligence-led approach to cyber security that considers people, processes and technology.