Frustrated posts from Facebook users point to confusion over the company's Friday announcement that as many as 50 million accounts may have been compromised. Users of the social media platform want to know if their accounts were used and if so, how and by whom.
But cybersecurity investigations take time — they always have. They can be messy and inconclusive for months, or even years. But because of General Data Protection Regulation (GDPR) enacted this May in the European Union, fast but incomplete notifications are likely the new norm.
GDPR calls for a swift three-day notification period for companies to tell people who may have been affected by a breach. But companies often don't know who precisely got the brunt of the hack among their customers right away. So while notifications may go out, the process of uncovering details in the public eye will be much slower.
"The GDPR requires prompt notice — 72 hours from 'awareness' of the breach. But it doesn't require 'perfect' notice," explains Paul Ferrillo, head of the cybersecurity practice at law firm Greenberg Traurig. "The [regulation] allows an immediate notice within 72 hours, as well as updates to that notice in phases. It comports to the right of the individual to know if there is a breach to protect him or herself."
"It's very hard for even the most skilled practitioners to fully understand the contours of a sophisticated data breach in less than 72 hours," he said.
Compared to a wide range of types of hacks, the attack against Facebook appears to have been genuinely "sophisticated," a term that is sometimes overused in relation to security breaches but applies here and means the investigation could take a long time.
Facebook's attack was multi-pronged and used previously unknown security loopholes in multiple applications available on the platform. Only when used in concert did these loopholes allow attackers to compromise accounts, Zuckerberg said on Friday. This is more complex than other breaches that may be easier to investigate, like email spear-phishing attacks, Ferrillo said.
Other companies that have dealt with breaches like these, which involve several steps and activities by attackers, have also struggled with a changing narrative that plays out in the public eye. Corporations like Equifax and Sony, had investigations that stretched for months and, for some details, more than a year. Like these events, details about what happened at Facebook will likely shift in the coming months.
Despite the complexity of the company's security investigation, Facebook has invested a great deal of time and resources into its security program. It has simultaneously faced privacy and security scandals throughout the past year. It's unlikely that consumers or regulators will be forgiving.
The GDPR's main governing body, which is based in Ireland, issued a statement this week indicating they may be tough on the social media giant: "[Facebook's] notification lacks detail and the [Data Protection Commission] is concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts, but Facebook is unable to clarify the nature of the breach and the risk for users at this point. The DPC continues to press Facebook to clarify these matters further as a matter of urgency."
This is key, as the stakes are high for Facebook. A maximum fine under GDPR amounts to 4 percent of a company's global annual turnover from the previous year. For Facebook, that could be well over $1 billion.
It gets more dire for Facebook, given GDPR was passed in part over concerns specifically about how companies handle the personal information of consumers.
Facebook's seemingly muddy messaging over breach will be the new norm under GDPR.