Less than 10 percent of the 50 million users attacked in Facebook’s recent breach lived in the European Union, tweeted the Irish Data Protection Commission, which oversees privacy in the region. However, Facebook still could be liable for up to $1.63 billion in fines, or 4 percent of its $40.7 billion in annual global revenue for the prior financial year, if the EU determines it didn’t do enough to protect the security of its users.

Facebook wrote in response to the IDPC’s tweet that “We’re working with regulators including the Irish Data Protection Commission to share preliminary data about Friday’s security issue. As we work to confirm the location of those potentially affected, we plan to release further info soon.”

Facebook alerted regulators and the public to the breach Friday morning after discovering it Tuesday afternoon. That’s important because it came under the 72-hour deadline for announcing hacks that can trigger an additional fine of up to 2 percent of a company’s global revenue if not met.

UPDATE Facebook data breach – @DPCIreland understands that the number of potentially affected EU accounts is less than 10% of the 50 million accounts in total potentially affected by the security breach. DPC Ireland statement beneath. #dataprotection #GDPR #EUdataP pic.twitter.com/oSfGy6DP2S — Data Protection Commission Ireland (@DPCIreland) October 1, 2018

That hack saw sophisticated attackers combine three bugs in Facebook’s profile, privacy and video uploading features to steal the access token of 50 million users. These access tokens could allow the attackers to take over user accounts and act as them on Facebook, Instagram, Oculus and other sites that rely on Facebook’s login system. The EU’s GDPR laws threaten heavy fines for improper security practices and are seen as stricter than those in the U.S., so its findings during this investigation carry weight.

The big question remains what data was stolen and how it could potentially be misused. Unless investigators or journalists discover a nefarious application for that data, such as how Cambridge Analytica’s ill-gotten data was used to inform Donald Trump’s campaign strategy, it’s unlikely for the public to see this as more than just another of Facebook’s constant privacy scandals. It could still trigger regulation, or push partners away from using Facebook’s login system, but the world seems to be growing numb to the daily cybersecurity breaches that plague the internet.