The hackers exploited a feature in Facebook’s code to gain access to user accounts, potentially enabling them to take control of them. The breach was the largest in Facebook’s fourteen years of existence.
The fallout Facebook is facing from this breach is the latest example of the see-through economy at work. Since September 27, Facebook’s market value has dropped over 8%. However, the string of recent scandals that have occurred since July 20 of this year has reduced Facebook’s market value by nearly 25%. This is the financial cost of Facebook’s decision to reject an investor proposal for the company to create a separate and independent risk committee. Had Facebook headed this request, this breach would have been avoided.
Furthermore, Facebook could face a fine of as much as $1.63 billion in the European Union for the breach under the GDPR law that went into effect earlier in 2018. This is one of the first major tests of the GDPR. While there have been a number of other breaches, few if any have been on the scale of Facebook’s recent breach.
Under GDPR, companies are required to notify regulators within 72 hours of the breach occurring. Facebook could face a fine of up to $850 million if they were found to be outside of the 72-hour window. According to a report in The Wall Street Journal, it appears Facebook may have notified Ireland’s Data Protection Commission, the lead privacy regulator for Facebook in the EU, within the 72-hour timeline.
The Irish DPC, however, has said that Facebook’s notification “lacked detail.” If EU regulators determine that Facebook failed to take sufficient measures to secure user data prior to the breach, Facebook would face a maximum fine of €20 million ($23 million) or 4% of worldwide revenue, whichever is greater. Based on Facebook’s 2017 revenue, the latter amount would be $1.63 billion.