Avatar photo


Author Bio ▼

Adam Bannister is a contributor to IFSEC Global, having been in the role of Editor from 2014 through to November 2019. Adam also had stints as a journalist at cybersecurity publication, The Daily Swig, and as Managing Editor at Dynamis Online Media Group.
April 8, 2019


State of Physical Access Trend Report 2024

WATCH: Facebook faces “eye-watering” GDPR fine for sharing personal data with third parties

A data breach affecting millions of Facebook users “may become the defining moment of GDPR”, according to an expert in data protection law.

The latest scandal to engulf the social media platform, in which the Facebook IDs, comments, likes, reactions and account names of 540 million users were exposed, will renew criticism of Facebook’s data-sharing business model.

Australian IT company UpGuard has revealed that it discovered users’ data on insecure servers with no security measures in place.

Facebook permitted Mexican digital publisher Cultura Colectiva to access the data, which it then uploaded to Amazon Web Service (AWS) cloud servers. A now defunct social network app called The Pool uploaded a second database containing personal details.

With Amazon’s help Facebook is trying to remove both sets of data and establish for how long the information has been exposed.

“High-stakes matter”

“This is a high-stakes matter which may become the defining moment of GDPR,” said Toni Vitale, head of regulation, data and information at law firm Winckworth Sherwood. “Data Regulators in Ireland and Spain are already investigating previous Facebook data breaches affecting their citizens and this is beginning to look like a poor pattern of behaviour from Facebook.

“The Irish regulator doesn’t really have a track record of robust enforcement, so previously Facebook is likely to have been unconcerned about penalties it might levy. Although it’s unlikely that Facebook will face the full $1.63bn potential as it is the maximum, but given the large number of European citizens involved and the number of previous breaches, the eventual fine is still  likely to be eye-wateringly large.”

Much of Facebook’s revenue is generated by selling access to sensitive user data to third parties. Facebook insists that developers accessing its user data must store it in a secure manner, but policing such a rule is a fiendishly difficult – some would say impossible – goal.

Offering insights into the personalities and preferences of its subjects, Facebook user data has enormous commercial value and is an obvious target for hackers.

“The surface area for protecting Facebook user data is vast and heterogenous – and responsibility for securing it lies with millions of app developers.” UpGuard

In a blog post discussing its investigation into the data leak, UpGuard wrote: “These two situations speak to the inherent problem of mass information collection: the data doesn’t naturally go away, and a derelict storage location may or may not be given the attention it requires […] The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.

It’s the latest in a series of scandals to hit the social network.

Founder and chief executive Mark Zuckerberg is still handling the fallout of the Cambridge Analytica scandal, with a criminal investigation into how political consultants used Facebook to harvest data from 87 million people still ongoing.

Facebook has also been accused of giving undue prominence on its news feeds to stories that contain false, misleading and inflammatory information. The platform’s news feed has been implicated in a genocide in Myanmar, measles outbreaks around the world and Russian state interference in the Brexit Referendum and the US Presidential Election of 2016.

Roger McNamee, a Facebook investor turned critic, told Wired that “this is a problem that is endemic in a world where the business model is about tracking human beings, claiming eminent domain on their personal data, using it for behavioual prediction, and then using the tools of machine learning and AI to steer people toward outcomes that make those predictions more valuable.”

The author of Zucked: Waking Up to the Facebook Catastrophe recently appeared on Sam Harris’s latest podcast. Quoting Renée DiResta he said that “freedom of speech is not the same as freedom of reach.”

Facebook is already facing 10 major GDPR investigations less than a year since the data protection regulation came into force.

“This is just the latest data breach affecting Facebook users.  In October last year, Facebook also revealed millions of email addresses, phone numbers and other personal user information were compromised during a security breach, affecting as many as 50 million accounts.

“Last month, the company also admitted that millions of Facebook, Facebook Lite and some Instagram users had their passwords stored in plain text, leaving the accounts in question at risk. European data regulators such as the UK’s Information Commissioner’s Office regulate companies such as Facebook’s adherence to GDPR, the European law that strengthens the privacy protections of individuals and introduces tough penalties for companies that fail to protect user data and can impose fines of up to 4% of worldwide annual turnover which could mean a fine of £1.63 billion for Facebook.  This was the third major GDPR investigation into Facebook in five months.”

A Facebook spokesman said: “Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”

Related Topics

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments

[…] is a high-stakes matter which may become the defining moment of GDPR,” said Toni Vitale, head of regulation, data and information at law firm Winckworth Sherwood. “[…]given the […]