Facebook hack affected 3 million in Europe, creating the first big test for privacy regulation there

Key Points
  • A September Facebook security breach affected about 3 million European users, according to a spokesperson from the Irish Data Protection Commission.
  • This will be the first major test of a strict new European privacy regulation called GDPR, under which Facebook could be fined up to 4 percent of its annual revenue.
Facebook's CEO Mark Zuckerberg answers questions about the improper use of millions of users' data by a political consultancy, at the European Parliament in Brussels, Belgium, in this still image taken from Reuters TV May 22, 2018
ReutersTV | Reuters

Approximately 3 million Europeans were affected by a September Facebook security breach in which users' personal information was stolen, the Irish Data Protection Commission told CNBC on Tuesday.

This security breach is expected to be the first major test of Europe's new General Data Protection Regulation, and the number of European users affected could help determine the severity of any penalties against the company.

Under GDPR, companies handling the personal data of Europeans must adhere to strict requirements for holding and securing that information, and must report breaches to authorities within 72 hours. Under the regulation, companies can face fines of up to 4 percent of their annual global revenue. For Facebook, which made more than $40.65 billion in revenue in 2017, that fine could be as much as $1.63 billion.

Facebook first disclosed the security breach on Sept. 28, saying 50 million accounts had their login access tokens stolen. That figure was reduced to 30 million on Friday, and Facebook confirmed that 29 million of the impacted users had their names and contact information exposed. Among those users, 14 million of also had other personal information, such as their gender, relationship status and their recent place check-ins, stolen by the attackers.

Facebook previously declined to share how many users impacted by the breach were based in Europe. But Facebook told the Irish Data Protection Commission that 10 percent of the affected accounts were European, according to Graham Doyle, the commission's head of communications.

The company did not immediately respond to a request for comment on Tuesday.

The Irish Data Protection Commission is investigating the data breach.

"The update from Facebook last Friday, 12 October, was significant as Facebook has confirmed that the personal data of millions of users was taken by the perpetrators of the attack," said a spokesman for the office of the Irish Data Protection Commissioner. "The Data Protection Commission's statutory investigation into the breach and Facebook's compliance with its obligations under the GDPR continues."

Vera Jourova, the EU's justice commissioner, told CNBC earlier this month, "We have very strict rules and we have very strong instruments to discipline the companies which deal and which handle the private data of people, which is obviously the case with Facebook."

Only 30 million, not 50 million, people's access tokens stolen in Facebook data breach, company says