Facebook data breach probed by Irish regulator

Ireland’s data regulator has opened an investigation of Facebook over a recent data breach that allowed hackers to access 50 million accounts. The probe could potentially cost Facebook more than $1.6 billion in fines.

The Irish Data Protection Commission said Wednesday that it will look into whether the Menlo Park social media company complied with European regulations that went into effect this year covering data protection.

It’s the latest headache for Facebook in Europe, where authorities are turning up the heat on dominant tech firms over data protection. Last month, European Union consumer protection chief Vera Jourova said that she was growing impatient with Facebook for being too slow in clarifying the fine print in its terms of service covering what happens to user data and warned that the company could face sanctions.

The commission said that it would examine whether Facebook put in place “appropriate technical and organizational measures to ensure the security and safeguarding of the personal data it processes.”

MBA BY THE BAY: See how an MBA could change your life with SFGATE's interactive directory of Bay Area programs.

The commission said this week that the number of EU accounts potentially affected numbered less than 5 million.

Ireland, which is Facebook’s lead privacy regulator for Europe, is moving swiftly to investigate the company since the breach became public on Friday.

Facebook said Friday that attackers gained the ability to “seize control” of user accounts by stealing digital keys the company uses to keep users logged in. They could do so by exploiting three distinct bugs in Facebook’s code.

The company said it has fixed the bugs and logged out the 50 million breached users — plus another 40 million who were vulnerable to the attack — to reset those digital keys.

Facebook said it doesn’t know who was behind the attacks or where they’re based. Neither passwords nor credit card data was stolen. At the time, the company said it alerted the FBI and regulators in the U.S. and Europe.

Facebook didn’t immediately return a request for comment Wednesday.

Facebook has faced a tumultuous year of security problems and privacy issues. News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. In April, CEO Mark Zuckerberg appeared at a congressional hearing focused on Facebook’s privacy practices.

The European Union implemented stronger data and privacy rules, known as the General Data Protection Regulation, in May.

The case could prove to be the first major test of the regulation. Under the new rules, companies could be hit with fines equal to 4 percent of annual global turnover for the most serious violations. In Facebook’s case, that could amount to more than $1.6 billion based on its 2017 revenues.

The new rules also require companies to disclose any breaches within 72 hours. The commission said Facebook informed it that its internal investigation is continuing and that it is taking actions to “mitigate the potential risk to users.”

Kelvin Chan is an Associated Press writer.