Irish investigation raises prospect of $1.6bn fine for Facebook

News by Tom Reeve

The Irish data regulator will investigate the circumstances around the cyber-attack against Facebook which saw the social media giant lose control of 50 million user accounts.

The Irish Data Protection Commission (DPC) has launched a formal investigation into the Facebook data breach which could lead to a $US1.6 billion (£1.2bn) fine.

And it’s been revealed that the breach could have affected corporate customers of Facebook’s chat app Workplace.

The social media giant announced on 28 September that it had suffered a cyber-attack affecting 50 million user accounts. The attackers identified a weakness in a feature known as "View As" which ironically was designed to help users enhance their privacy.

The European investigation will take place under section 110 of Ireland’s Data Protection Act 2018 which states the DPC can launch an investigation on its own initiative "to ascertain whether an infringement has occurred or is occurring". Ireland is the data regulator for Facebook in Europe because the company has its European headquarters there.

It is thought that up to 10 percent of the accounts affected by the hack belonged to European citizens. Under GDPR, organisations can be fined up to four percent of global turnover for breaches of personal data.

The DPC said: "The investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it possesses."

Meanwhile, according to Business Insider, Facebook is investigating whether any users of its business chat app Workplace have been affected by the breach. It said that it is unlikely to be a problem unless users used a beta feature which enabled them to link their personal accounts to their business accounts.

The company is also facing a class action lawsuit in California, launched just days after the attack was made public.

The DPC said Facebook had informed it of the attack on 28 September, just three days after the company’s engineers discovered the breach. "Facebook has informed the DPC that their internal investigation is continuing and that the company continues to take remedial actions to mitigate the potential risk to  users," the DPC said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews