The Facebook Breach: What it means for users, third-parties, and the tech giant itself
Facebook announced at the end of September that 90 million user accounts were affected by a security incident involving the platform’s “View As” feature, a capability which allows a user to see how other people view their profile. The security lapse was caused by unauthorized access to users’ access tokens, which appears to have provided full account access to the malicious actor in possession of the tokens. Facebook reset the login tokens of 50 million accounts that were directly affected, as well as login tokens to 40 million accounts that used the “View As” feature in the past year.
The incident also affects any applications that a Facebook user accesses via “Facebook Login,” which allows other apps to authenticate a user through their Facebook account. Any user whose access token was compromised from the “View As” feature may have had their linked apps compromised as well.
Facebook claims that a sophisticated actor was responsible for the user access token abuse. While the company has not attributed the security incident to any specific threat actor, the company is working with law enforcement to uncover more information that could lead to identifying the culprits.
Facebook faces massive GDPR fines following the incident
The security lapse makes Facebook at risk of facing a $1.63 billion fine under the European Union’s General Data Protection Regulation (GDPR), a standard which aims to protect data privacy of UK citizens and hold organizations accountable for failing to protect user data. If the fine is issued, Facebook would be one the first organizations to face a fine under the GDPR, which was implemented on May 25th, 2018. Given the large scale of the incident, the manner in which regulators respond to the breach will likely establish precedence for future GDPR data protection violations.
Calls for stronger data protection regulations in the United States
Currently, the United States has no data security standard which is equivalent to the EU’s General Data Protection Regulation. Influential law-makers have already made calls for increased security protections of data privacy following the Facebook security incident. Senator Mark Warner of Virginia stated that “this is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. A full investigation should be swiftly conducted and made public so that we can understand more about what happened.”
Culturally, Europe and the United States have differing views on privacy and information security. Europe sees data privacy as a fundamental human right, whereas the United States has not made an equivalent declaration. While Facebook faces financial penalty from European regulators, it will not suffer such consequences in the United States. Even though organizations operating solely in the US do not have the same direct financial incentives to protect data privacy, consumers are becoming increasingly privacy aware, and many are boycotting or avoiding companies that are not believed to take data security seriously. It remains to be seen if Facebook will face consumer backlash for this latest incident, similar to the mass exodus of Facebook users following the Cambridge Analytica scandal.