Europe’s strict new data regulations may prevent Facebook from identifying the hackers who compromised up to 50 million users accounts last week, the social network’s former security chief warned Monday.
Alex Stamos, who recently resigned from Facebook, claimed that forcing companies to disclose a breach within 72 hours means that neither companies nor law enforcement agencies are able to conduct sufficient tracking operations to identify the hackers.
“You can do incident response quickly or correctly, but not both,” Stamos said on Twitter, adding that he had once run a response operation following the breach of a financial institution “which wasn't disclosed for months as the company was working with the [Secret Service] to lure the attackers into a trap. It worked.”
Stamos’ claim was backed by Chris Painter, a former senior official at the National Security Council, who pointed out that several U.S. state data breach laws explicitly have notification delay provisions if law enforcement is conducting an investigation. “Having once been on the law enforcement side of the fence, that delay could help law enforcement prevent or mitigate further harm,” Painter said.
Facebook, the Irish Data Protection Commission and the European Commission have yet to comment on Stamos’ claims.
The Irish DPC is charged with enforcing Europe’s strict privacy and data protection rules as most of Silicon Valley’s tech giants have their headquarters located in Dublin.
The social network discovered the breach last Tuesday and reported it to the Irish Data Protection Commission Thursday, according to a spokesperson for the agency. The company informed the public about the breach, which was the worst in the company’s 14-year history, on Friday.
Under Europe’s strict new privacy regulations, known as the General Data Protection Regulations (GDPR), companies have just 72 hours to inform the relevant authority about a breach of user data or face a fine of up to 2 percent of its global annual revenue.
That fine would be separate from the potential $1.63 billion penalty Facebook faces for failing to adequately protect users’ data.
Ireland’s Data Protection Commission announced Monday that approximately 10 percent -- or 5 million -- of the total affected accounts globally were EU-based.
Helen Dixon, Ireland’s Data Protection Commissioner, has yet to officially launch an investigation into the breach, but a source at the agency confirmed to VICE News that an official probe will likely be launched later this week.
The source, who was not authorized to speak on the record, also said that the figure of 5 million was the maximum possible figure, and in reality the commission expected the number of people impacted to be “significantly lower.”
Stamos said GDPR rules forced Facebook to admit to the maximum amount of users who could have been affected and doing this before a full investigation is completed only adds to the confusion among users.
Europe’s top data protection official, Vera Journova called the breach “really worrying news,” urging Facebook to cooperate with the Irish authorities. The company has been in constant contact with the DPC in Dublin since the breach was reported.
The case marks a significant first test for Europe’s new privacy rules and for the Irish commission, which is charged with enforcing EU law because Facebook’s international headquarters is based in Dublin.
In the U.S. a class-action lawsuit was filed within hours of the company going public with the breach.
Facebook remained tight-lipped Monday about its own investigation into the hack, which is focusing on who did it, why they did it, and what data they accessed. CNN reported Monday that Facebook would brief lawmakers in Washington later in the week.
The breach may also have impacted third-party services that use Facebook to log users in, with Spotify, Airbnb, and Tinder potentially affected. So far Facebook has said little about this aspect of the breach, and Tinder is calling for more information to be shared.
Cover image: The Facebook logo is seen on an Apple iPhone on October 1, 2018. (Jaap Arriens/NurPhoto via Getty Images)