Facebook facing GDPR fine of up to £1.25bn over security breach affecting 50 million accounts

Irish Data Protection Commission to rule over Facebook mega-breach

Facebook could be on the hook for a fine of as much as £1.25bn over its recent 50 million account data breach under the new General Data Protection Regulation (GDPR).

Although less than 10 per cent of the users affected by the data breach live in the European Union, the Irish Data Protection Commission (IDPC) believes that Facebook could be liable for up to $1.63 billion (£1.25bn) in fines - a sum equivalent to four per cent of its $40.7bn annual turnover in 2017 if the IDPC EU determines it didn't do enough to protect users' security.

That's according to the Wall Street Journal, which claims that the IDPC is demanding more information about the security breach, including details on which EU citizens might have been affected.

The commission said it was "concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point".

Facebook wrote in response to the IDPC's tweet that, "We're working with regulators including the Irish Data Protection Commission to share preliminary data about Friday's security issue. As we work to confirm the location of those potentially affected, we plan to release further info soon".

The breach, which Facebook announced on Friday after uncovering on Tuesday, saw hackers exploit a vulnerability in Facebook's code that impacted 'View As', a feature that enables people see what their own profile looks like to someone else.

This enabled the as-yet-unidentified attackers to access users' authentication tokens, which means they had access to personal details.

With access to users' authentication tokens, hackers would have had access to private messages, which would have been exposed to harvesting until Facebook forced a log-out.

The company also confirmed over the weekend that if any of the 50 million affected had used their Facebook accounts to log into third-party sites - Spotify, Instagram, Tinder or Airbnb, to name but a few - data from those could easily have been leaked as well.