The Irish Data Protection Commission has opened a formal investigation of Facebook over a recent data breach that allowed hackers access to 50 million accounts.
The probe could potentially cost the social media giant more than $1.6 billion in fines.
In the security breach, believed to be the largest in Facebook’s history, attackers gained the ability to “seize control” of user accounts by stealing digital keys the company uses to keep users logged in.
The attack took place through the “View As” function, which allows users to see how other people can see their own profile. Hackers used bugs in the feature that allowed them to steal Facebook access tokens, which they could then use to take over people’s accounts.
The Irish Data Protection Commission said it will look into whether Facebook complied with European regulations that went into effect earlier this year covering data protection. The General Data Protection Regulation (GDPR) is a European law that strengthens the privacy protections of individuals and introduces harsh penalties for companies that fail to protect user data.
“The investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it processes,” the Irish Data Protection Commission said in a statement on Wednesday.
Facebook informed the commission that its internal investigation was continuing and that the company continued “to take remedial actions to mitigate the potential risk to users”.
“We have been in close contact with the Irish Data Protection Commission since we have become aware of the security attack and will continue to cooperate with their investigation,” a Facebook spokeswoman said.
Up to 5 million European users were targeted in the attack in what is the latest in a series of security breaches affecting Facebook.
Facebook is already facing huge criticism over the way it handles users data including the Cambridge Analytica scandal where around Facebook users – and their friends – had their personal data improperly obtained by a political research firm linked to Donald Trump’s presidential campaign and the Leave campaign in the Brexit referendum.