On Friday 28th September, Facebook disclosed that a security bug had compromised roughly 50 million accounts, allowing hackers to steal the ‘access tokens’ used to log users into related apps connected to Facebook like Airbnb, MyFitnessPal, Candy Crush & more. Because Facebook’s European subsidiary is headquartered in Ireland, the Irish Data Protection Commission (DPC) is the watchdog for EU users’ privacy.
The DPC released a statement saying that, “We understand that the number of EU accounts potentially affected is less than 10% of that [50 million accounts].”
In this post-GDPR world, what’s important to know is that Facebook could be liable for up to $1.63 billion in fines, or 4% of its $40.7 billion in annual global revenue in 2017. Companies must notify regulators of any security breach within a 72-hour window, or face an additional fine of 2% of its annual revenue. It seems that because Facebook discovered the breach on Tuesday afternoon and had reported it by Friday morning, they will avoid that penalty.
According to reporting by Wired, "the bugs that enabled the attack have since been patched...The company says that the attackers could see everything in a victim's profile, although it's still unclear if that includes private messages or if any of that data was misused. As part of that fix, Facebook automatically logged out 90 million Facebook users from their accounts Friday morning, accounting both for the 50 million that Facebook knows were affected, and an additional 40 million that potentially could have been."
A breach this large could prove to be a test case of how far the Irish DPC will enforce GDPR penalties on behalf of the European Union, although $1.63 billion would be the largest possible fine levied against the social media giant. Many questions remain, including who was responsible for the breach, whether any personal data was stolen and how that data could be used.
It's easy to feel helpless in the face of such a large data breach from a familiar social media site. After all, Facebook isn't the only organisation whose systems have been breached recently! Already in 2018 we've heard about the hack into UnderAmour's 'My Fitness Pal' app, exposing the account details of roughly 150 million users, or marketing firm Exactis, who left the aggregated data for close to 340 million personal records on an exposed public server.
Here are a few things you can do to strengthen your defences in light of these recent breaches.
1) Invest in superior firewalls
Our security partner WatchGuard’s next generation proxy technology is an excellent solution for network security. Current DPI (deep packet inspection) can be easily overwhelmed by heavy traffic, and inspects only packet-level content. Superior firewalls will decrypt and reassemble incoming traffic to scan packet data at the application level. Without strong firewalls, your network is vulnerable to breaches.
2) Email Security
Email addresses, usernames and their associated passwords are commonly-stolen types of data. Using those, hackers can easily attempt phishing scams and target your systems through email. According to our partner Mimecast, 91% of attacks by sophisticated cyber criminals start through email. A secure email software will protect your team from increasingly-clever phishing scams.
3) Enable MFA
Two-factor or Multi-factor authentication methods are one of the simplest ways to secure your IT infrastructure and verify the credentials of users who wish to connect or enter. Automated MFA builds an additional layer of simple security into your network to prevent data breaches from unauthorised entry.
4) Password Security
Password management apps or software use encryption to store all of your different log-ins and passwords in a vault. One master password unlocks the vault, so you can use strong, unique passwords for any other accounts. Another tip is to require that your team members change their passwords frequently, setting it as a monthly or quarterly task on your security to-do list.