ODPC must use Facebook breach to set standards
4 October 2018 | 0
Last Friday’s admission by Facebook that almost 50 million user accounts were compromised by hackers exploiting the ‘view as’ function represents the biggest breach in the social network’s history. The attack stole access tokens used to create accounts and log in to third party websites and applications like Spotify and Tinder, giving free rein for attackers not only to play around with your account but to have a look at whatever else you use it for.
Facebook’s fix has been to replace the tokens, logging people out of their accounts. What is unclear is how long Facebook was vulnerable to attack, exactly how many accounts were affected and how much data was stolen. We may never know. The company’s ‘move fast and break things’ philosophy does not extend to coming up with security strong enough to protect its 2.2 billion users.
Now it’s up to little old Ireland – Facebook’s European base of operations – to investigate and impose an appropriate sanction in line with the General Data Protection Regulation. The blunder should result in a penalty of $1.6 billion (4% of global turnover). The question is will the Office of the Data Protection Commissioner stand up for users, demonstrate its commitment to GDPR and impose a substantial fine, or will it accept the ‘we’re sorry and we’ll do better’ reply Facebook is so practised at delivering.
Over the past year the ODPC has shown an impressive ability to make companies more aware of how to treat their data, and what to do in the event of a breach. It has adopted a service model offering advice and guidance with the long-term goal of baking data literacy into Irish organisations. You might not like a call from the ODPC but they’re here to help. If you don’t… well there’s a stick to go with that carrot.
But what happens when you have an open and shut case with a corporate monster that can easily absorb the maximum penalty? As with the Google situation I wrote about last August, nothing less than a robust strategy will do if GDPR and the ODPC are to be taken seriously.
Unfortunately not everyone is convinced the ODPC has the clout to stand up for users.
Quoted in the Guardian this week Protecture data protection lead Rowenna Fielding said: “The Irish regulator doesn’t really have a track record of robust enforcement, so I don’t think Facebook is likely to be concerned about penalties they might levy.” Ouch.
Having Ireland considered a light touch for corporation tax bad enough, being considered a light touch for data protection would be shameful.
My guess is the ODPC will deliver a token win for Europe and impose a a fine in the region of 2% of Facebook’s global turnover and a warning. Such a decision gives latitude for when the inevitable happens and Facebook suffers another attack with similar fallout. We all need a benchmark. The ODPC has a chance to set one here that has international consequences.