Update: Less than 10% of the 50 million Facebook accounts affected by last week’s security breach were in the European Union, a spokesman for the privacy regulator overseeing Facebook in the EU said Monday evening, following a request to Facebook for information about the breach. He added: “Facebook has assured us that they will be in a position to provide a further breakdown in relation to more detailed numbers soon.”
Ireland’s Data Protection Commission (DPC) said Facebook’s initial notification to the regulator about the breach, sent on Thursday, “lacked detail.” It has sent questions to the company that could lead to an official investigation and potential fines.
“The DPC is concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts, but Facebook is unable to clarify the nature of the breach and the risk for users at this point,” the Commission said in an emailed statement to Forbes.
Facebook publicly announced the security breach on Friday morning Pacific Time, saying that an unknown hacker had compromised the accounts of 50 million users, using a combination of three bugs.
Since the hacker gained keys to take over any account using a Facebook login, the real number of affected users is likely to be higher than 50 million, according to analysis from Forbes cybersecurity reporter Thomas Brewster.
One of the questions the Commission has put to Facebook is over the number of European users who were affected, a Commission spokesman said. “We are waiting for further information to see what the next step is going to be.”
The Irish regulator carries out data protection regulation on behalf of the EU because Facebook’s European headquarters are based in Ireland. “We are responsible for regulating them from a data protection perspective.” Facebook did not respond to a request for comment.
With more details, the Commission could eventually decide to open a formal investigation into the breach and determine whether Facebook broke the EU’s new privacy laws that came into effect in May, known as GDPR.
The new rules state that companies must do enough to protect their user’s data or face a fine of 20 million euros ($23 million) or 4% of their global annual revenue for the previous year — paying the higher amount. The latter, in Facebook’s case, would amount to $1.6 billion, according to an estimate from The Wall Street Journal. For more regulations roles or if you interested for Market Tips you can get more informed on Stock Market Tips
Regulatory fines typically don’t reach such lofty heights if a company cooperates with investigators, but an investigation and possible fine could further erode Facebook’s attempts at winning back trust from users and regulators.
Facebook has said it discovered the breach on Tuesday and notified the Irish Data Protection Commission on Thursday, meaning that it kept within the 72-hour disclosure deadline required under GDPR.