Facebook faces potential 1.6bn fine over photo security glitch

 

Facebook could face a fine of over $1.6bn (£1.3bn) after a glitch exposed the personal photos of almost 7 million users, The Telegraph reports.

The Irish Data Protection Commission (IDPC) said it had opened an inquiry into the security breach, which included images that users had never actually shared on the social network.

Under EU data laws, it could result in a fine equal to four per cent of Facebook's annual revenue if regulators determine the company did not do enough to prevent it.

A spokesman for the IDPC said: "We have this week commenced a statutory inquiry examining Facebook's compliance with the relevant provisions of the GDPR [General Data Protection Regulation].

The inquiry will also encompass another security breach announced in October that gave hackers total control of 30m users' accounts.

It is the latest in a litany of privacy issues involving the company this year which started with the Cambridge Analytica scandal in March.

"We're sorry this happened," said Tomer Bar, an engineering director at Facebook, in an official blog post, adding that the company would work to find out who was affected and to delete their photos from other companies' systems.

He also urged users to log in to any apps that they might have shared their Facebook photos with, in order to see what images they have access to.

The problem was caused by a glitch in an update to Facebook's tools for third-party developers, which allow other apps to connect to Facebook and use its data if users consent.

Thousands of apps such as Spotify, Netflix and Airbnb, as well as quizzes and games, connect to Facebook profiles so that users can find their friends or log in more easily.

Some of these are granted access to users' photos, including photo-printing websites Websites such as Shutterfly and MailPix and photo editing apps that let people touch up their images.

But while these apps are supposed to have access to photos that users have posted on their Facebook timelines, the update wrongly gave wider access to 876 other companies during a 12-day window between September 13 and September 2.

Facebook became aware of the bug in September and fixed it, but did not report it to the IDPC until November 22, even though GDPR requires companies to disclose any breach of personal data within 72 hours.

A Facebook spokeswoman said the company had taken some time to determine whether the breach was serious enough to be reportable, and had met the 72-hour deadline once that was known.

Asked why it had then waited another three weeks to tell the public, the company said it had needed the time to build a system to notify users in multiple languages if their accounts had been affected.

The images exposed included photos from Facebook Stories, which disappear from others people's view after 24 hours, and photos that people had started uploading to Facebook but had not actually posted.

This may happen if a user uploads a photo but then decides they are unhappy with it, or if they lose their internet connecting during the process of posting.

Asked why such photos are stored at all, Facebook said it keeps them for 48 hours in case users wish to finish posting them, and that they are not stored if the user decides not to.

It said that photos from Facebook Stories were only saved if users chose to archive all their pictures, an often which is switched off by default.

A spokeswoman declined to provide a list of the app developers who had access to the photos, saying only that Facebook does not think all of them had actually used that access while it was available.

She said that Facebook was giving all the developers two months to check for and delete any photos they may have downloaded, and that any which failed to prove they had done so would lose their access to Facebook's data.

The Cambridge Analytica breach began when a third-party developer was allowed to harvest user information which was later used in political campaigns.

The documents seized and published by Parliament earlier this month were also concerned with who had access to Facebook's data and under what conditions they could access it.

Commenting on the leak, Mark Zuckerberg said Facebook's crackdown on outside access in 2015 had pervented "a lot of sketchy apps" from harvesting its users' data.

Another glitch, disclosed privately to the company in May and revealed last month, made it possible for malicious websites to quietly siphon personal data out of Facebook users' accounts so long as they were logged into the site.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, called the breach "stunning" and said it was "like a provider sending draft emails".

He told the Washington Post that the breach could put Facebook in breach of an agreement it signed with US trade regulators in 2011 requiring it to improve its privacy practices or face fines.

The company declined to comment on how many people had been affected in the UK.

 

 

 

l.12-.057c.834-.407 1.663-.812 2.53-1.211a42.414 42.414 0 0 1 3.345-1.374c2.478-.867 5.078-1.427 7.788-1.427 2.715 0 5.318.56 7.786 1.427z" transform="translate(-128 -243)"/>