Facebook faces £1.25bn EU GDPR fine over data breach

by Mark Tyson on 1 October 2018, 15:21

Tags: Facebook, Tesco (LON:TSCO)

Quick Link: HEXUS.net/qadx3g

Add to My Vault: x

Facebook breach

Ahead of the weekend Facebook suffered from a massive data breach, with up to 50 million accounts compromised. Behind the breach was a flaw in Facebook's system for authentication. This flaw has now been fixed. Having patched up the flaw, Facebook is now staring at the prospect of a £1.25 billion fine from the EU, as GDPR is now in force - if any affected users were in Europe.

In a security update blog post, Facebook says that it has patched the security flaw which it found to be in the 'View As' security and privacy feature of the site. A flaw in the code allowed hackers to steal Facebook access tokens which they could then use to take over people's accounts. It goes on to explain that "Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app."

Now it has fixed the flaw, Facebook has got in touch with law enforcement, namely the FBI, to help find out who was behind the attacks and bring them to justice, if possible. Furthermore, those affected by the flaw, almost 50 million accounts, have had their access tokens wiped, so they would have to log in afresh. Finally, as a extra cautionary measure, a further 40 million users got their access tokens wiped, and will also have to re-log in on all their devices. After login a notification at the top of the news feed will alert the person about what has happened.

Tesco Bank customers robbed

In a similar security vein today, it has been revealed that Tesco Bank has been fined £16.4 million over a cyber attack which occurred in November 2016. During this serious hacking incident, cyber attackers swiped £2.26 million from customers of the bank over a 48 hour period. Adding insult to injury, the bank's online services were temporarily taken down for 136,000 users as Tesco tried to respond to what was happening.

The UK's Financial Conduct Authority (FCA) has said that Tesco Bank failed to "exercise due skill, care and diligence" in protecting its current account holders. The FCA added that the cyber attack under the spotlight was "largely avoidable".

In all, £2.26 million was stolen from 9,000 customers, from a total of 40,000 accounts compromised. Investigators found that there were security holes in Tesco Bank's design of its debit card, its financial crime controls, and its Financial Crime Operations Team, reports ZDNet.

Tesco was facing a much stiffer fine of £33 million from the FCA initially, but as it cooperated with the banking regulatory body the penalty was greatly reduced. Tesco has now paid the fine, reimbursed and apologised to customers. Perhaps even more importantly, Tesco Bank has since "significantly enhanced our security measures to ensure that our customers' accounts have the highest levels of protection," said Gerry Mallon, Tesco Bank chief executive.



HEXUS Forums :: 19 Comments

Login with Forum Account

Don't have an account? Register today!
I was affected, enjoy the fine Facebook :)
I'm always skeptical concerning fines for security breaches, they seem a little to much stick than carrot, I'd much prefer if companies were forced to perform X years worth of security audits or something to get them to adopt better security practices.
Corky34
I'm always skeptical concerning fines for security breaches, they seem a little to much stick than carrot, I'd much prefer if companies were forced to perform X years worth of security audits or something to get them to adopt better security practices.
You don't necessarily get fines, other actions like audits are available instead or as well as fines.

If an organisation can show that a breach was down to a previously unknown vulnerability it's unlikely there will be much of a fine. If it was a known vulnerability, out of date software or on obvious attack vector they'll come down harder.
Corky34
I'm always skeptical concerning fines for security breaches, they seem a little to much stick than carrot, I'd much prefer if companies were forced to perform X years worth of security audits or something to get them to adopt better security practices.

“You've been responsible for something bad happening which you should have prevented, go and sit on the naughty step thinking about what you did and how you can do better!”

The above is a reasonably boiled down summarisation of what you are suggesting in the security world.

Fines are cause and effect and the prospect of fines of the scale the EU suggest have kicked most CSOs in the EU and somewhat worldwide to adopt better practices already.

The fines are a punishment for something they should have prevented by adopting better development and security practices. Additionally, are you not sure that Facebook already has Security Auditors, Researchers and White Hats coming out of their ears? Telling them to get more would be a waste of time.

If there is not an effect, then how will a cause be resolved properly for the prevention in the future. Right now I bet the team responsible for that feature is getting a big shakeup on procedure to prevent that happening again.

On another note, yes! A big company has been pulled over the coals, that makes my job easier!
To note I'm not suggesting they should sit on a naughty step. :) Or that fines shouldn't be levied.

It's just I'd prefer something to force them to adopt better security practices, fines always seem a rather blunt instrument as some companies see it as the cost of doing business and just pass the cost onto us consumers, sort of like we potentially pay £1.25bn (or whatever) every 5-10 years or £2m each year for better security, companies inevitably choose the cheapest option and I'd prefer them to be forced into adopting the best option.

Yes FB could have Security Auditors, Researchers and White Hats coming out of their ears but people like that don't act in isolation, for all we know people like that could've been highlighting security issues for ages but been ignored because FB did think the cost/risk ratio was worth worrying about.

EDIT: I've said it before but IMO the way the aviation industry deals with safety issues is the gold standard and i think other industries could benefit from implementing similar practices, if necessary by forcing them to do so.