Nearly a week after the worst security breach in Facebook history, the company still has no idea who was responsible.
Facebook announced last Friday that some 50 million accounts had been compromised as a hacker — or potentially multiple hackers — accessed log-in credentials via the platform’s “View As” feature. The breach also affected approximately 40 million other accounts who didn’t directly use the “View As” feature. And there’s still no indication of who was behind the hack or how the stolen information may eventually be used.
As the Wall Street Journal reported this week, Facebook executives briefed officials in Washington, including both lawmakers and members of the Department of Homeland Security, in the aftermath of the breach. However, there’s no indication they revealed the identity of the hacker — or that they even had any leads. (“The truth is we learned very little over the weekend,” The Verge dryly noted.)
Carolyn Everson, the company’s vice president of global marketing solutions, told the WSJ that the hackers were the equivalent of an “odorless, weightless intruder that walked in,” one only detectable when they “made a certain move.”
Even without the identity revealed, though, the fallout from the massive breach has been swift and wide-ranging. This week, Facebook users learned that other platforms linked to their Facebook profiles — including Yelp and Spotify, most notably — were vulnerable to hacking. A report in The Guardian noted that the breach was a “potential backdoor to thousands of third-party apps and websites.” And even while companies like Facebook have said there’s no need to change users’ passwords, hackers could still use stolen credentials to create accounts on Facebook-linked platforms, according to one of the researchers interviewed.
The breach is the latest in a litany of data-related scandals embroiling the company over the past year, from fake Russian pages to data leached by researchers tied to the scandal-plagued Cambridge Analytica firm. (On Tuesday, ThinkProgress reported that Facebook had also begun recycling the fake Russian user-names, tossing up another roadblock for researchers trying to assess the full extent of Russia’s social media interference operations.)
But where the company has taken a staggering reputational hit before, the financial costs are now starting to mount. Thanks to last week’s breach, Facebook could face upwards of a $1.6 billion fine under the European Union’s new General Data Protection Regulation (GDPR). “This is the first big case for GDPR,” Vera Jourova, EU justice commissioner, said on Tuesday.
Ireland’s Data Protection Commission separately announced that it would likely push for a formal investigation into the breach.
UPDATE Facebook data breach – @DPCIreland understands that the number of potentially affected EU accounts is less than 10% of the 50 million accounts in total potentially affected by the security breach. DPC Ireland statement beneath. #dataprotection #GDPR #EUdataP pic.twitter.com/oSfGy6DP2S
— Data Protection Commission Ireland (@DPCIreland) October 1, 2018
Closer to home, Facebook is also facing a new class action suit directly related to the hack. Filed immediately after Facebook’s announcement last week, the suit, as The Verge reported, claimed that Facebook maintained improper security — including “deceit by concealment” — and exposed users to an increased chance of identity theft.
The plaintiffs and members of the class-action suit “suffered injury in fact and lost money or property as the result of [Facebook’s] unlawful business practices,” the suit reads, adding that “Facebook falsely represented” that personal information was “secure and that class members’ [personal information] would remain private.”
U.S. lawmakers, bogged down by the ongoing controversies and allegations surrounding Supreme Court nominee Brett Kavanaugh, haven’t commented much on the breach. However, Sen. Mark Warner (D-VA) released a statement last week calling for a “full investigation.” Said Warner, “This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I’ve said before — the era of the Wild West in social media is over.”