Incident Of The Week: Facebook Exposes Photos Of 6.8 Million Users In Second Data Breach Since September

Social Media Giant Gave Tech Giants Access To More People’s Data Than It Had Disclosed

Add bookmark

Esther Shein

Facebook is not having a good week. For the second time in three months, the social media company announced it suffered a data breach, most recently, exposing photos from up to 6.8 million users. As a result, Facebook could be facing a multi-billion dollar fine for failing to comply with the EU’s GDPR.

The Irish Data Protection Commission, which oversees Facebook’s compliance with the European law, told CNN it has launched a “statutory inquiry” into Facebook. The news comes after Facebook announced in September that it suffered its largest ever security breach when hackers accessed the personal information of tens of millions of Facebook users.

The General Data Protection Regulation (GDPR) went into effect last May, and because Facebook’s European headquarters is in Dublin, it is required under the regulation to inform the Irish data regulator of a breach within 72 hours. The bug that exposed the photos occurred over a 12-day period in September, but Facebook didn’t notify the European regulator of the breach until Nov. 22nd, according to the company.

Companies that fail to comply with the GDPR could face as much as $23 million, or 4% of their annual worldwide revenue, whichever is higher, CNN reported. Facebook had revenue of almost $40 billion in 2017, so that means the company could be fined up to $1.6 billion if its revenue remains about the same this year, CNN said.

Facebook said it filed the report as soon as it had "established it was considered a reportable breach.”

Meanwhile, The New York Times reported Tuesday that Facebook allowed over 150 companies to access more of its users’ personal data than it had disclosed. The social network allowed Microsoft’s Bing search engine to see the names of almost all Facebook users’ friends without consent, and it gave Spotify and Netflix the ability to read users’ private messages. It also allowed Amazon to obtain users’ names and contact information and let Yahoo view friends’ posts even after the company issued public statements that it had stopped that sort of sharing years earlier, the Times reported.

The company responded to the article by issuing a statement that “this work was about helping people do two things. First, people could access their Facebook accounts or specific Facebook features on devices and platforms built by other companies like Apple, Amazon, Blackberry and Yahoo. These are known as integration partners. Second, people could have more social experiences – like seeing recommendations from their Facebook friends – on other popular apps and websites, like Netflix, The New York Times, Pandora and Spotify.” The social media company added that “To be clear: none of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC.”

In September, Facebook disclosed that the data of almost 50 million user accounts was exposed after a third-party company erroneously accessed data from a legitimate quiz app.

After that first September breach was reported, the Data Protection Commission tweeted that Facebook didn’t provide sufficient information on its nature and risk to users.

To find out if you were one of the 6.8 million Facebook users whose photos were exposed, log into your account to see if you’ve received a message from the company regarding the latest breach. If you haven’t, you can assume your photos weren’t exposed.