MANILA, Philippines – The European Union may slap Facebook with an up to $1.63 billion fine following the social media company’s disclosure that some 50 million users were affected by a hack, the Wall Street Journal reported Sunday, September 30 (October 1, Manila time). 

Facebook disclosed on September 28 (September 29, Manila time) that attackers took advantage of 3 bugs on the service to take the access tokens of 50 million accounts. The access tokens allowed access to a user’s Facebook account and also allowed an attacker to potentially access accounts of app or service users who took advantage of Facebook’s Single Sign-on for logging into other services.

Facebook reset the access tokens of 90 million accounts in the process of fixing the issue, but will have to deal with the repercussions of the attack as the days progress. (READ: What to do after the massive Facebook hack?)

Less than 10% of the total number of those affected – or some 5 million EU Facebook users – were hit by the attack on Facebook, according to a tweet from the Irish Data Protection Commission (IDPC).

UPDATE Facebook data breach – @DPCIreland understands that the number of potentially affected EU accounts is less than 10% of the 50 million accounts in total potentially affected by the security breach. DPC Ireland statement beneath. #dataprotection #GDPR #EUdataP pic.twitter.com/oSfGy6DP2S

— Data Protection Commission Ireland (@DPCIreland) October 1, 2018

In response to the tweet, Facebook said it was working with the IDPC to “share preliminary data about Friday’s security issue.”

We’re working with regulators including the Irish Data Protection Commission to share preliminary data about Friday’s security issue. As we work to confirm the location of those potentially affected, we plan to release further info soon. https://t.co/Cs1uSMtBNk

— Facebook (@facebook) October 1, 2018

The Wall Street Journal adds the GDPR’s potential fine is found as the higher value between a maximum fine of 20 million euros or 4% of the firm’s global annual revenue for the prior year.

Additionally, GDPR mandates the authorities be notified of found breaches within 72 hours. Those who fail to comply face an additional fine: 2% of world-wide revenue. Facebook did disclose the breach within the 72-hour deadline.

While the GDPR could push for a fine, Facebook receiving a penalty will depend on due diligence – whether the company adequately safeguarded users’ data prior to a hack, and whether it complied or cooperated with GDPR statutes.

Facebook may potentially have more liability as the GDPR recommends companies store as little data as possible.

In the US, Facebook is still under investigation by the Federal Trade Commission over the Cambridge Analytica scandal, which may see Facebook getting another fine of over $1 billion.

Fines for Facebook may ultimately depend on how badly governments and the people want answers for these missteps by companies who have our data in their pockets. – Rappler.com