Interesting implications in Europe
The 50 million compromised accounts are the first major test of the GDPR
On Friday, a massive breach opened up a new front in the war on Facebook. According the the company, more than 50 million accounts were taken over by a kind of login worm, which used a series of unpublished vulnerabilities to hijack session keys on an unprecedented scale. Hackers had full access to any of the targeted accounts — essentially, they could do whatever you can do when you’re logged in — and Facebook is still working to survey the full extent of the damage.
Breach response is always chaotic, but this one is particularly haphazard because of a new set of rules established by the EU’s General Data Protection Regulation or GDPR. Implemented in May, the GDPR sets strict requirements for any breach involving EU citizens, requirements that are already guiding Facebook’s response to the session key attack. According to Facebook’s timeline, the disclosure on Friday came just before the 72-hour window for disclosing the news to privacy commissioners, a far tighter deadline than companies usually adopt.