Less than a year after the Cambridge Analytica scandal, Facebook is making headlines again. This time, it’s for a data breach in September that compromised the accounts of around 30 million users. It’s believed that hackers gained access to private information through a fault in access tokens, a tool that allows accounts to remain logged in on devices. Facebook has confirmed that the scammers operate by posing as a digital marketing company and look to make money through deceptive advertising. Their activities were already known to their security team.
Personal data from this breach has been found on the dark web, selling for between $3 and $12. If sold at these prices, the value of the stolen data would be somewhere between $150m and $600m, highlighting the clear financial incentive for cybercriminals to target social media platforms like Facebook.
This latest high-profile breach is bad news for the social media giant. The Cambridge Analytica scandal sent a damaging message to users that Facebook was harvesting their personal data off to the highest bidder, but this latest scandal has undermined their technical competence. While the hackers were undoubtedly sophisticated, it was Facebook’s own inability to patch a key vulnerability for over a year, leaving the door wide open to hackers.
The Facebook breach will also be an interesting test of the new European data protection regulations (GDPR) which came into force earlier this year. It’s estimated that around 10% of the compromised accounts belong to European citizens, bringing Facebook in breach of GDPR. The maximum penalty for such a breach is 4% of annual revenue, which for Facebook would amount to an eye-watering $1.63 billion.
This story is still developing, and how authorities react will set a precedent the inevitable future data breaches that will happen as our world becomes more digitised.