Workload and Application Security Blog

ICO issues maximum £500,000 fine to Facebook for failing to protect users’ personal information

Written by Virsec Systems | Nov 7, 2018 2:36:06 AM

And...Tim Cook calls for GDPR-style privacy laws in the US

87 million Facebook breached 2007-2014

Earlier this year it was revealed that 87 million Facebook users had their data compromised over 7 years, between 2007 and 2014. Due to misprocessing information, Facebook gave developers unfair access to user info without their consent. One developer, Aleksandr Kogan, took data that was later used by SCL Group, more recognized by the name of one of its companies, Cambridge Analytics, who was involved in US political campaigning.

Facebook’s missteps

Facebook didn’t protect their user information because it didn’t adequately keep checks on apps and developers on the platform. Even friends of people using the unchecked apps were compromised.

Facebook’s missteps continued. Even after discovering the breach in December 2015, Facebook again neglected to take proper steps, such as blocking the Cambridge company from the platform and user data for 3 more years, until 2018.

ICO imposes fine of £500,000

The Information Commissioner’s Office’s (ICO’s) investigation discovered these details and also found that among the 87 million compromised users, the personal information put at risk included one million UK users. The ICO found these violations extremely serious and pointed out that given Facebook’s size and expertise, it should have known and done better a better job protecting its users. The CIO imposed the maximum fine it could, £500,000, under the Data Protection Act of 1998, the existing law applicable at the time. This law has since been replaced by the 2018 GDPR and had the GDPR been in place, the penalty would have been significantly more.

The ICO is the UK’s independent regulation body for data protection and information rights. It carries out the responsibilities of the UK Data Protection Act 2018 (DPA2018) and the GDPR, among others.

Tim Cook weighs in on the US need for stricter privacy laws

The same week this GDPR fine came down, Apple’s CEO Tim Cook went on record praising Europe’s GDPR policy and its successful implementation. A longtime advocate of data privacy, Mr. Cook believes the US needs to follow suit with this level of commitment in federal regulations – including teeth in the form of penalties for violators to protect people’s information and rights to privacy.

Critics of such regulations claim these rules would inhibit innovation but Tim counters that people need to have faith in technology versus being threatened by it. With continual massive breaches happening on a near-daily basis, security experts are more in alignment with Mr. Cook’s sentiments than not. Most agree businesses must take data protection with the utmost seriousness to restore the public’s trust. To that end, strong regulations have a way of enforcing a higher level of commitment and effort.

Sources:

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/10/facebook-issued-with-maximum-500-000-fine/

https://www.engadget.com/2018/10/24/tim-cook-calls-for-gdpr-style-privacy-laws-in-the-us/