Immediately after Facebook announced on Friday (Sept. 28) that more than 50 million accounts were compromised in a massive hack, the European regulatory agency that oversees Facebook, Ireland’s Data Protection Commission (DPC), said it was looking into the breach. If Facebook violated the provisions of Europe’s strict new privacy law, the General Data Protection Regulation (GDPR), it could face a fine as high as $1.63 billion, which is 4% of the company’s annual revenue.
Last week’s hack was the largest in Facebook’s history. Unlike the Cambridge Analytica scandal, it was not a strange tale of a company taking advantage of Facebook’s rules, but rather, an exploitation of a vulnerability in its actual code. Facebook said it became aware of the hack on Tuesday, and patched it up over the next several days. It doesn’t know know yet, however, the actual scale of the hack. One of the potential outcomes of the hack is that other sites that use Facebook data for logins, like Tinder or Spotify, could also be compromised. We also don’t know how exactly the hackers were planning to use the data, either.
The Wall Street Journal reports that Facebook will be under scrutiny on two levels: regulators will be trying to establish whether it did enough to protect user data, and whether it notified regulators of the breach within a 72-hour time period, as required under GDPR (which for now it appears that it did).
The probe will be a litmus test for how the GDPR functions in practice, the Journal notes. The fine, if any, could be much smaller than the $1.63 billion maximum, especially if Facebook cooperates with the regulators.
Facebook was not immediately available for comment.
Graham Doyle, a spokesperson for the DPC, said in an email to Quartz that they agency understand that the number of EU accounts potentially affected by the hack is less than 10% of the total. “Facebook has assured us that they will be in a position to provide a further breakdown in relation to more detailed numbers soon.”