Facebook Fined 500,000 For Cambridge Analytica Scandal: Example # 1

Download as pdf or txt
Download as pdf or txt
You are on page 1of 11

Example # 1:

Facebook fined £500,000 for Cambridge


Analytica scandal
 25 October 2018
 Share this w ith Facebook

 Share this w ith Mes senger

 Share this w ith Tw itter

 Share this w ith Email

 Share

Image copyrightGETTY IMAGESImage captionFacebook's chief executive has repeatedly declined to answer
questions from UK MPs about the scandal

Facebook has been fined £500,000 by the UK's data protection watchdog for its role in the Cambridge
Analytica data scandal.
The Information Commissioner's Office (ICO) said Facebook had let a "serious breach" of the law take place.
The fine is the maximum allowed under the old data protection rules that applied before GDPR took effect in
May.

The ICO said Facebook had given app developers access to people's data "without clear consent".

In July, the ICO notified the social network that it intended to issue the maximum fine.

Confirming the fine, it said in a statement: "Between 2007 and 2014, Facebook processed the personal
information of users unfairly by allowing application developers access to their information without
sufficiently clear and informed consent, and allowing access even if users had not downloaded the app, but
were simply 'friends' with people who had."
Media captionJULY 2018: Ms Denham warns Facebook

"Facebook also failed to keep the personal information secure because it failed to make suitable checks on
apps and developers using its platform."

Facebook said it was "reviewing" the ICO's decision.

"While we respectfully disagree with some of their findings, we have said before that we should have done
more to investigate claims about Cambridge Analytica and taken action in 2015," it said in a statement.

What was the Cambridge Analytica data scandal?


Researcher Dr Aleksandr Kogan and his company GSR used a personality quiz to harvest the Facebook data of
up to 87 million people.

Some of this data was shared with Cambridge Analytica, which used it to target political advertising in the US.

"Even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure
those who continued to hold it had taken adequate and timely remedial action, including deletion," the ICO
said.

The ICO found that more than one million people in the UK had their data harvested by the personality quiz.

"A company of its size and expertise should have known better and it should have done better," said
Information Commissioner Elizabeth Denham.

The ICO is still investigating how data analytics is used for political purposes.

Ms Denham is due to give evidence to the Department for Digital, Culture, Media and Sport (DCMS) Select
Committee on 6 November.
Example #2

Facebook faces $1.6bn fine and formal


investigation over massive data breach
This article is more than 1 year old
Irish data regulator could penalize the social network after hack of nearly
50m accounts

Olivia Solon in San Francisco

Email
Wed 3 Oct 2018 17.12 EDT

The Irish Data Protection Commission regulates Facebook’s adherence to European data
standards. Photograph: Alamy Stock Photo

The Irish Data Protection Commission has opened a formal investigation into a data
breach that affected nearly 50m Facebook accounts, which could result in a fine of up to
$1.63bn.

The breach, which was discovered by Facebook engineers on Tuesday 24 September,


gave hackers the ability to take over users’ accounts. It was patched on Thursday, the
company said.

“The investigation will examine Facebook’s compliance with its obligation


under the General Data Protection Regulation (GDPR) to implement appropriate
technical and organisational measures to ensure the security and safeguarding of the
personal data it processes,” the commission said in a statement on Wednesday.

The commission regulates Facebook’s adherence to GDPR, a European law that


strengthens the privacy protections of individuals and introduces harsh penalties for
companies that fail to protect user data.
The commission noted that Facebook had informed the commission that its internal
investigation was continuing and that the company continued “to take remedial actions
to mitigate the potential risk to users”.

“We have been in close contact with the Irish Data Protection Commission since we have
become aware of the security attack and will continue to cooperate with their
investigation,” said a Facebook spokeswoman.

Shortly after the Irish Data Protection Commission announced its investigation, the
Spanish Data Protection Agency announced it would collaborate on the investigation to
protect the rights of Spanish citizens.

The security breach is believed to be the largest in Facebook’s history and is particularly
egregious because the hackers stole “access tokens”, a digital security key that allows
users to stay logged into Facebook over multiple browsing sessions without having to
enter their password each time. When an attacker has this token they can take full
control of a victim’s account, including logging into third-party applications that use
Facebook Login.

This high-stakes matter may become the defining moment of GDPR


Dr Lukasz Olejnik, security expert

The breach comes at time when Facebook is under heavy scrutiny over issues including
foreign interference in elections, its role in spreading misinformation and hate
speech, and privacy.

Facebook announced the breach in a blogpost on Friday, saying it was taking the issue
“incredibly seriously”. Over the weekend the commission said it was “concerned that
this breach was discovered on Tuesday and affects millions of users”.

Facebook was “unable to clarify the nature of breach and risk” to users at that point, the
commission said, adding that it was pushing the company to “urgently clarify these
matters”.

Rowenna Fielding, a senior data protection lead at Protecture Limited, said: “Facebook
should have tested the ‘view as’ function with a ‘what could an attacker do with this’
mindset and they either didn’t, or didn’t care about the gaping hole.”
The investigation will focus on ‘Facebook’s compliance with its obligation under
(GDPR)’. Photograph: Alamy Stock Photo

Dr Lukasz Olejnik, an independent cybersecurity and privacy adviser, noted that this
was the first major GDPR investigation that would test whether Facebook followed its
rules around security of data processing.

“This high-stakes matter may become the defining moment of GDPR,” he said.

Other data security experts believe that Facebook will get off lightly.

“The Irish regulator doesn’t really have a track record of robust enforcement, so I don’t
think Facebook is likely to be concerned about penalties they might levy,” said Fielding.

She said that the $1.63bn potential fine was “unlikely”, describing it as a “ceiling, not a
stipulation”.

“However, the precedent set by any regulatory finding of unlawful processing could be
very significant, especially in follow-on litigation by individual data subjects affected,”
she added.
Example #3:

GDPR: Google and Facebook


face up to $9.3B in fines on
first day of new privacy law
An Austrian privacy group is wasting no time.

Sean Keane

May 25, 2018 12:49 PM PDT



6
Facebook is among the first companies to be hit with a complaint under new EU privacy
laws.
NurPhoto/Getty
Google, Facebook, Instagram and WhatsApp have been hit with privacy
complaints within hours of GDPR taking effect Friday -- complaints that could
carry fines of up to $9.3 billion in total.
Privacy-advocacy group Noyb.eu said the four companies are forcing people to
adopt a "take it or leave it" approach with regard to privacy -- essentially
demanding that users submit to intrusive terms of service.

The Noyb group is run by Austrian data privacy activist Max Schrems, who
compared that choice to a "North Korean election process."

"Tons of 'consent boxes' popped up online or in applications, often combined with


a threat, that the service cannot longer be used if user[s] do not consent," his
group said in a statement.

Noyb is asking regulators in France, Belgium, Hamburg and Austria to fine the
companies up to the maximum 4 percent of their annual revenue that the GDPR
rules allow, which could potentially add up to a $4.88 billion fine for Google
parent company Alphabet and $1.63 billion for each of Facebook, and its
Instagram and WhatsApp services. That's only if European regulators agree with
Noyb.eu and decide to fine the companies the full amount, though.

GDPR, short for General Data Protection Regulation, is designed to give citizens
of the European Union greater control over how their information is used online.
It kicked in Friday after a two-year transitional period, and its effect was
immediate. Europeans, for example, were blocked from several US news
outlets Friday as a result of the regulation.

Google has said it has taken key steps to ensure compliance ahead of the new
law.

"We build privacy and security into our products from the very earliest stages and
are committed to complying with the EU General Data Protection Regulation," a
Google spokesperson said in a statement, which also noted its blog post on
GDPR.

Facebook, which owns Instagram and WhatsApp, said the company has been
working to meet the requirements of GDPR.

"Over the last 18 months, we have taken steps to update our products, policies
and processes to provide users with meaningful data transparency and control
across all the services that we provide in the EU," Erin Egan, Facebook's chief
privacy officer, said in an emailed statement.
Example #4:

British Airways slapped with


£183m GDPR mega-fine over 2018
breach
Record penalty follows first-class security screw-up

BA's 2018 breach saw hackers take off with customer info

 Carly Page
 08 July 2019

BRITISH AIRWAYS (BA) has been slapped with a record-breaking £183m


GDPR fine following the 2018 mega-breach that saw hackers take off with
customers' data.

The Information Commissioner's Office (ICO) said on Monday that, following


an "extensive investigation" into the incident, it has decided to whack the
airline with a hefty £183.4m penalty, representing 1.5 per cent of BA's
worldwide revenue in 2017.
While less than the maximum GDPR fine of four per cent, this is the biggest
penalty handed out under the new regulations to date; previously the largest
was the £500,000 penalty imposed on Facebook for its role in the
Cambridge Analytica privacy scandal.

The ICO noted that its investigation found that the personal data
of approximately 500,000 BA ustomers was compromised in the mega-
breach, due to "poor security arrangements" at the company. This data
included names and addresses, log-in details, travel booking info and
payment card details - including the number, expiry date and three-digit
security code.

Information Commissioner Elizabeth Denham said: "People's personal data is


just that - personal. When an organisation fails to protect it from loss, damage
or theft it is more than an inconvenience.

"That's why the law is clear - when you are entrusted with personal data you
must look after it.

"Those that don't will face scrutiny from my office to check they have taken
appropriate steps to protect fundamental privacy rights."

BA CEO and chairman Alex Cruz said the airline was "surprised and
disappointed" the ICO's decision, sobbing: "British Airways responded quickly
to a criminal act to steal customers' data.

"We have found no evidence of fraud/fraudulent activity on accounts linked to


the theft. We apologise to our customers for any inconvenience this event
caused."

Willie Walsh, CEO of BA's parent company International Airlines Group,


added: "British Airways will be making representations to the ICO in relation to
the proposed fine.

"We intend to take all appropriate steps to defend the airline's position
vigorously, including making any necessary appeals."

You might also like