Irish DPC ‘concerned’ about Facebook data breach

Irish DPC ‘concerned’ about Facebook data breach

Reaction to news Friday that up to 50 million Facebook users were compromised in a data breach rippled through the privacy world over the weekend, prompting comments from the Irish Data Protection Commission, the U.K. Information Commissioner’s Officer, Sens. Mark Warner, D-Va., and Ed Markey, D-Mass., as well as FTC Commissioner Rohit Chopra. A class-action lawsuit was also filed within hours of the announcement.

In a blog post responding to the data breach, Facebook said its “investigation is still in its early stages.”

Monday afternoon, the Irish DPC announced in a tweet that less than 10 percent of the 50 million affected were EU citizens.

The New York Times first reported the incident Friday afternoon after a conference call with Facebook CEO Mark Zuckerberg and VP of Product Management Guy Rosen. Zuckerberg said Facebook’s engineering team “found an attack” that “exploited a vulnerability in the code of the View As feature, which is a privacy feature that lets people see what their Facebook profile would look like to another person.” Attackers could then take Facebook access tokens, allowing them to fully take over a person’s Facebook account or accounts that let users login via the Facebook login.

During the call, Zuckerberg and Rosen confirmed the company had alerted the Irish DPC and the U.S. Federal Bureau of Investigation.

In a series of strongly worded tweets, the Irish DPC also confirmed it was alerted to the data breach — reportedly within the 72-hour breach notification limit as mandated by the EU General Data Protection Regulation — but added it “is awaiting from Facebook further urgent details of the security breach” and whether EU users were affected.

EU Justice Commissioner Vera Jourova also urged Facebook to “fully cooperate” with the Irish DPC, and European Commission Vice-President for the Digital Single Market Andrus Ansip used the occasion to call for more security design in software.

FTC Commissioner Rohit Chopra, who will be interviewed by the IAPP’s Angelique Carson at Privacy. Security. Risk. later this month, said he wants more details from the company.

In comments to The New York Times, Chopra went further, saying, “Breaches don’t just violate our privacy. They create an enormous risk for our economy and national security. … The cost of inaction is growing, and we need answers.”

At least two Democratic Senators urged an investigation into the incident as well. Warner, who recently published a policy paper outlining potential privacy regulation of social media companies, said the incident “is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.”

 

And Sen. Ed Markey, who took part in last week’s Senate Commerce Committee hearing exploring consumer privacy and a potential U.S. privacy law, added:

 

However, while attention from U.S. policymakers may lead to ramifications, all eyes will likely turn to the European Union, where the GDPR’s consistency mechanism will truly be put to the test.

U.K. Information Commissioner’s Office Deputy Commissioner of Operations James Dipple-Johnstone said, “We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected.”

Though many more details remain unanswered, the breach is the first major one for Facebook since the GDPR went into effect last May. Last month, British Airways notified users of a breach affecting credit cards used on its website. The Wall Street Journal reports that Facebook could face a maximum $1.63 billion fine under the GDPR based on its global annual turnover, but it is not clear at this stage whether it violated the regulation or if any of the conditions for triggering the highest fine amount would be met.

In an emailed statement to the WSJ, the Irish DPC said it is “concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.”

The incident highlights the difficulty companies face under a 72-hour notification deadline. In order to notify relevant authorities within the window, all the facts of a given breach incident may not yet be known. It may also test what comprises sound data security. DLA Piper Partner Andrew Dyson told the WSJ that, “When you talk about a business like Facebook that has huge resources and a larger user base, that is inevitably going to be seen as a higher bar. The expectation is that they are going to be deploying a very significant amount of resources” on data security.

Sarah Pearce, head of the data privacy and cybersecurity practice at Paul Hastings, said of companies handling big data in general, “If you are a company that is processing personal data on a large scale, the level of risk is going to be seen as higher, so the level of security will have to be higher.”

In a second conference call later Friday, Facebook revealed the flaw affects other third parties as well. Any accounts that allow the user to log in through Facebook, called Single Sign On, could have been affected as well. In the second call, Rosen explained, “The access token enables someone to use the account as if they were the account holder themselves. This does mean they could access other third-party apps using Facebook login will be able to detect those access tokens have been reset.”

The complexity of the features and the size of Facebook itself demonstrates the difficulty in maintaining data security. Security researcher Jean Yang pointed out that the breach “happened as a result of an unpredicted interaction between features. It’s super hard to reason about security/privacy when you’re building software in such a decentralized way.”

 

The breach prompted Consumers Union, the advocacy division of Consumer Reports, to call for stronger data protection and breach notifications laws in the U.S. Director of Consumer Privacy and Technology Policy Justin Brookman said, “Existing consumer protection law provides few clear obligations for companies to safeguard sensitive data. And most state notification laws don’t cover social media accounts, so companies don’t have an obligation to tell you when your data has been exposed. Consumers deserve comprehensive data security and data breach notification laws that make protecting their personal information the top priority.”

To top things off, users trying to post news of the breach on Facebook — specifically links from The Guardian and the Associated Press — were not allowed to do so because the company’s automated systems detected them as spam.

In a tweet, the official Facebook account told NYTs reporter Kate Conger that its “automated systems incorrectly marked the two articles as spam. The issue has been resolved and articles can be shared now.”

#BigData #DataLoss #Enforcement #Infosecurity #Privacy #Law #SocialNetworking

Original Piece https://iapp.org/

, , , , , , , , , ,
Recommended Posts
Third Plenary session: EU-Japan draft adequacy decision, DPIA lists, territorial scope and e-evidence.
Third Plenary session: EU-Japan draft adequacy decision, DPIA lists, territorial scope and e-evidence.data portability, data privacy, Enforcement, EU, EU-Japan, European law, GDPR, GDPR guidance, GDPR Training, International, News, Personal details, PersonalData, privacy
Data Protection Commission
Data Protection Commission welcomes significant increased funding of €3.5 million in 2019 BudgetData Commissioner, Data Protection Commissioner, Data Protection Commissioner Helen Dixon, Data Protection Officers, DPC, European law, GDPR