(LONDON) — Ireland’s data regulator has launched an investigation of Facebook over a recent data breach that allowed hackers access to 50 million accounts. The probe could potentially cost Facebook more than $1.6 billion in fines.
The Irish Data Protection Commission said Wednesday that it will look into whether the U.S. social media company complied with European regulations that went into effect earlier this year covering data protection.
It’s the latest headache for Facebook in Europe, where authorities are turning up the heat on dominant tech firms over data protection. Last month, European Union consumer protection chief Vera Jourova said that she was growing impatient with Facebook for being too slow in clarifying the fine print in its terms of service covering what happens to user data and warned that the company could face sanctions.
The commission said in a statement that it would examine whether Facebook put in place “appropriate technical and organizational measures to ensure the security and safeguarding of the personal data it processes.”
The commission said earlier this week the number of EU accounts potentially affected numbered less than 5 million.
Ireland, which is Facebook’s lead privacy regulator for Europe, has moved swiftly to investigate the U.S. tech company since the breach became public on Friday.
Facebook said Friday attackers gained the ability to “seize control” of user accounts by stealing digital keys the company uses to keep users logged in. They could do so by exploiting three distinct bugs in Facebook’s code.
Facebook also said the hackers could also have used those stolen digital keys to access outside services or apps that let people to log in with their Facebook usernames and passwords. The company said it hasn’t found any evidence of this happening.
The company said it has fixed the bugs and logged out the 50 million breached users — plus another 40 million who were vulnerable to the attack — in order to reset those digital keys. Facebook said it doesn’t know who was behind the attacks or where they’re based. Neither passwords nor credit card data was stolen. At the time, the company said it alerted the FBI and regulators in the U.S. and Europe.
Facebook said in a statement Wednesday that it has been in close contact with the Irish agency since it became aware of the breach and will continue to cooperate with the investigation.
Facebook has faced a tumultuous year of security problems and privacy issues . News broke early this year that a data analytics firm once employed by the Trump campaign, Cambridge Analytica, had improperly gained access to personal data from millions of user profiles. Then a congressional investigation found that agents from Russia and other countries have been posting fake political ads since at least 2016. In April, Zuckerberg appeared at a congressional hearing focused on Facebook’s privacy practices.
The European Union implemented stronger data and privacy rules, known as the General Data Protection Regulation, in May.
The case could prove to be the first major test of GDPR. Under the new rules, companies could be hit with fines equal to 4% of annual global turnover for the most serious violations. In Facebook’s case, that could amount to more than $1.6 billion based on its 2017 revenues.
The new rules also require companies to disclose any breaches within 72 hours. The commission said Facebook informed it that its internal investigation is continuing and that it is taking actions to “mitigate the potential risk to users.”