Facebook Could Face A GDPR Fine Of $1.63bn

Uploaded on 2018-10-04 in TECHNOLOGY-Key Areas-Social Media, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Facebook was fined £500,000 under the Data Protection Act for the Cambridge Analytica scandal but may not get away so lightly this time.

Now, Facebook could face potentially billions in fines under GDPR for the latest data breach which impacted roughly 50 million accounts

The security incident, was caused by a vulnerability in Facebook's code which permitted attackers to steal access tokens. Access tokens are used to keep Facebook users logged in when they switch over to a public profile view via the "View As" feature.

The breach was detected on September 25. The vulnerability, comprising of three separate bugs, has been resolved and the access tokens of affected users have been reset, alongside an additional 40 million users that were subject to a "View As" lookup over the past 12 months. It took mere hours before class-action lawsuits were filed against Facebook for failing to protect user data. It seems that it took only a little longer for regulators to become involved.

According to the Data Protection Commission (DPC) for Ireland, the number of affected accounts involved in the latest security incident relating to EU citizens is less than 10 percent of the total 50 million users impacted. This works out to roughly five million users, which is still a huge number of people who may have had their data accessed or stolen. Facebook said in response:

"We're working with regulators including the Irish Data Protection Commission to share preliminary data about Friday's security issue.  As we work to confirm the location of those potentially affected, we plan to release further info soon." 

Under the Data Protection Act 1998, Facebook was fined £500,000 by the UK's Information Commissioner's Office (ICO) for permitting the data-harvesting antics of Cambridge Analytica, leading to the improper sharing of data belonging to 87 million Facebook users in the UK, US, and beyond.

The old privacy laws which once held sway in Europe permitted a maximum fine of £500,000, and this was the same amount that Equifax was fined over a data breach which compromised data belonging to 15 million UK citizens. However, now businesses in the EU are held accountable under the General Data Protection Regulation (GDPR), which came into effect May 25, the potential financial ramifications could be far more serious.

The UK has already issued its first GDPR notice against AggregateIQ Data Services (AIQ), which has been connected to the Facebook-Cambridge Analytica data scandal.

If Facebook is found to be in breach of GDPR for failing to adequately protect user data over this incident, the company faces a fine of up to €20 million or 4 percent of annual global turnover, and as the fine applies to whichever is higher, the social networking giant could find itself forking out far more.

Based on Facebook's financial results for the last fiscal year, the fine could be up to $1.63 billion. In the firm's Q2 2018 financial results, Facebook reported net income of $5.1 billion and non-GAAP earnings of $1.74 per share on revenue of $13.23 billion.

The data breach is not the only headache Facebook recently had to cope with. The company has also faced criticism over its use of phone numbers given by users in the interest of security for targeted advertising.

ZDNet

You Might Also Read: 

Major Facebook Breach: 50m Users Compromised:

« Britian Accuses Russian GRU Spy Agency Of International Cyber Attacks
Uber Pay $148m Penalty For Breach Cover-Up »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Contrast Security

Contrast Security

Contrast Security is the leader in modernized application security, embedding code analysis and attack prevention directly into software.

Gigamon

Gigamon

Gigamon provides intelligent Traffic Visability solutions that provide unmatched visbility into physical & birtual networks without affecting the performance or stability of production environments.

Lepide

Lepide

LepideAuditor is a powerful Data Security Platform that enables you to reduce risk, prevent data breaches and prove regulatory compliance.

ACM-CCAS

ACM-CCAS

ACM is a UKAS-accredited certification body helping businesses around the world perform to a higher standard. Our certifications include ISO 27001 and ISO 22301.

ZEBOX

ZEBOX

ZEBOX is an international incubator & accelerator of innovative startups. Focus is on Transport/Logistics and Industry X.0 including technologies such as AI, Blockchain and Cybersecurity.

Enea

Enea

Enea is one of the world’s leading specialists in software for telecommunications and cybersecurity. Our products are used to enable services for mobile subscribers, enterprise customers and IoT.

SLVA Cybersecurity

SLVA Cybersecurity

SLVA Cybersecurity excel at delivering security-as-a-service, fit-for-purpose, within the constraints of realistic budgets and business expectations.

CommandK

CommandK

CommandK provides companies with infrastructure to protect their sensitive data. Built-in solutions to prevent data-leaks and simplify governance.

Infoline Tec Group Berhad

Infoline Tec Group Berhad

Infoline Tec Group Berhad is principally involved in providing IT infrastructure solutions, cybersecurity service provider and solutions, managed IT and other IT services.

Catalyst Campus For Technology & Innovation

Catalyst Campus For Technology & Innovation

Catalyst Campus is a collaborative ecosystem to create community, spark innovation and stimulate business growth.

Port-IT

Port-IT

Port-IT is a leading partner in cybersecurity solutions tailored for the maritime industry.

Cyber & Data Protection

Cyber & Data Protection

Cyber & Data Protection Limited supports Charities, Educational Trusts and Private Schools, Hospitality and Legal organisations by keeping their data secure and usable.

DuckDuckGoose

DuckDuckGoose

DuckDuckGoose offer advanced solutions to protect against manipulated videos, images, voices and texts.

Security Solutions Services (S-3)

Security Solutions Services (S-3)

S-3 specialize in crafting tailored network design, security hardware, software, and storage solutions for businesses of all sizes.

Interpres Security

Interpres Security

Interpres Security operationalizes TTP-based threat intelligence and automates continuous exposure monitoring to help CISOs and security practitioners reduce threat exposure.

MineOS

MineOS

MineOS aligns compliance with business growth. We designed our platform so that privacy compliance efforts directly benefit other teams and initiatives.