Facebook’s lead regulator in the European Union, the Irish Data Protection Commissioner (DPC), continued on Thursday an investigation into a massive cyber-attack on the social networking site that the company disclosed last week.
Facebook said on Friday that hackers had stolen login codes that allowed them to access nearly 50 million Facebook accounts.
This is its worst-ever security breach, given the unprecedented level of potential access.
“In particular, the investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organizational measures.
Such measures will ensure the security and safeguarding of the personal data it processes,” the DPC said in a statement.
Under the new GDPR European privacy regulations which came into effect in May, breaking privacy laws can result in fines of up to 4 per cent of global revenue or 20 million euros whichever is higher.
The fine is as opposed to a few hundred thousand euros previously.
The DPC said that Facebook informed it that their own internal investigation is continuing and that the company continued to take remedial actions to mitigate the potential risk to users.
DPC regulates a number of U.S. multinationals with European headquarters in Dubsaid.
Facebook said on Tuesday that investigators had determined that the hackers did not access other sites that use the social networking site’s single sign-on.
Some security experts, including former Facebook executive, said the company may have painted worst-case scenario when it disclosed the attack on Friday to ensure compliance with the strict new European Union privacy rules.
GDPR imposes steep penalties if companies fail to follow rules that include a requirement that they disclose breaches within 72 hours of discovery.
That is a tight window that security experts say does not give investigators adequate time to determine the impact of the breach.
Facebook’s latest vulnerability had existed since July 2017, but the company first identified it on Tuesday of last week.