DUBLIN (Reuters) - Facebook's FB.O lead regulator in the European Union, the Irish Data Protection Commissioner (DPC), on Wednesday commenced an investigation into a massive cyberattack on the social networking site that the company disclosed last week.
Facebook said on Friday that hackers had stolen login codes that allowed them to access nearly 50 million Facebook accounts, its worst-ever security breach given the unprecedented level of potential access.
“In particular, the investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organizational measures to ensure the security and safeguarding of the personal data it processes,” the DPC said in a statement.
Under the new GDPR European privacy regulations which came into effect in May, breaking privacy laws can result in fines of up to 4 percent of global revenue or 20 million euros, whichever is higher, as opposed to a few hundred thousand euros previously.
The DPC, which regulates a number of U.S. multinationals with European headquarters in Dublin, said Facebook informed it that their own internal investigation is continuing and that the company continued to take remedial actions to mitigate the potential risk to users.
Facebook said on Tuesday that investigators had determined that the hackers did not access other sites that use the social networking site’s single sign-on.
Some security experts, including a former Facebook executive, said the company may have painted a worst-case scenario when it disclosed the attack on Friday to ensure compliance with the strict new European Union privacy rules.
GDPR imposes steep penalties if companies fail to follow rules that include a requirement that they disclose breaches within 72 hours of discovery. That is a tight window that security experts say does not give investigators adequate time to determine the impact of the breach.
Facebook’s latest vulnerability had existed since July 2017, but the company first identified it on Tuesday of last week.
Reporting by Padraic Halpin; Editing by Kirsten Donovan
Our Standards: The Thomson Reuters Trust Principles.