Less than ten percent of the victims of the hack were from the EU, but the problem for Facebook is that number is still high and the EU has some rather nasty laws available that other countries don't have.
Facebook could face up to $1.63 billion in fines, or four percent of its $40.7 billion in annual global revenue for the prior financial year, if the EU determines it didn’t do enough to protect the security of its users.
Facebook has written that it is working with regulators including the Irish Data Protection Commission to share preliminary data about the security issue.
Facebook alerted regulators and the public to the breach Friday morning after discovering it Tuesday afternoon. That’s important because it came under the 72 hour deadline for announcing hacks that can trigger an additional fine of up to two percent of a company’s global revenue if not met.
That hack saw sophisticated attackers combine three bugs in Facebook’s profile, privacy and video uploading features to steal the access token of 50 million users. These access tokens could allow the attackers to take over user accounts and act as them on Facebook, Instagram, Oculus and other sites that rely on Facebook’s login system. The EU’s GDPR laws threaten heavy fines for improper security practices and are seen as stricter than those in the US, so its findings during this investigation carry weight.
The big question remains what data was stolen and how it could potentially be misused. It might be that trolls were hoping to grab information to help win the US election (again).