As we previously noted, Facebook originally announced a breach late last month, in which hackers took advantage of a code vulnerability in the website’s “View As” feature, to access user’s data. However, on October 12, 2018, Facebook stepped back the number of affected accounts from 50 to roughly 30 million, and it acknowledged that hackers were able to view varying levels of information for different accounts. 

For about 14 million of the users, hackers were able to view a user’s 15 most recent Facebook searches, the last 10 places that he or she was checked into or tagged at, phone number, email address, hometown, birth date, relationship status, religion, and which pages on Facebook they were following. For another 15 million users, the hackers were able to view the user’s name, phone number and email address, while about one million users were affected, but without any personal data made available. However, Facebook stated that the hackers did not gain access to account passwords or credit card information.

While the update from Facebook acknowledged that millions fewer than originally thought were affected, it confirmed that various data points were taken by the hackers. Facebook advised that the FBI is currently investigating the matter. Further, regulators will now be left with how to address the breach and Facebook. It will be interesting to see how this matter unfolds, and what steps, if any, are taken by domestic or foreign administrative bodies.

Particularly with Europe’s General Data Protection Regulation (GDPR) now in play, regulators in Europe will have significant sanctions at their disposal, including a fine of up to four percent of Facebook’s annual global revenue—if it is found to have breached GDPR. Given that Facebook earned roughly $40.65 billion in revenue last year, a GDPR fine could total around $1.63 billion. We’ll be sure to look out for future developments on this matter.