Ahead of the weekend Facebook suffered from a massive data breach, with up to 50 million accounts compromised. Behind the breach was a flaw in Facebook's system for authentication. This flaw has now been fixed. Having patched up the flaw, Facebook is now staring at the prospect of a £1.25 billion fine from the EU, as GDPR is now in force - if any affected users were in Europe.
In a security update blog post, Facebook says that it has patched the security flaw which it found to be in the 'View As' security and privacy feature of the site. A flaw in the code allowed hackers to steal Facebook access tokens which they could then use to take over people's accounts. It goes on to explain that "Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app."
Now it has fixed the flaw, Facebook has got in touch with law enforcement, namely the FBI, to help find out who was behind the attacks and bring them to justice, if possible. Furthermore, those affected by the flaw, almost 50 million accounts, have had their access tokens wiped, so they would have to log in afresh. Finally, as a extra cautionary measure, a further 40 million users got their access tokens wiped, and will also have to re-log in on all their devices. After login a notification at the top of the news feed will alert the person about what has happened.
Tesco Bank customers robbed
In a similar security vein today, it has been revealed that Tesco Bank has been fined £16.4 million over a cyber attack which occurred in November 2016. During this serious hacking incident, cyber attackers swiped £2.26 million from customers of the bank over a 48 hour period. Adding insult to injury, the bank's online services were temporarily taken down for 136,000 users as Tesco tried to respond to what was happening.
The UK's Financial Conduct Authority (FCA) has said that Tesco Bank failed to "exercise due skill, care and diligence" in protecting its current account holders. The FCA added that the cyber attack under the spotlight was "largely avoidable".
In all, £2.26 million was stolen from 9,000 customers, from a total of 40,000 accounts compromised. Investigators found that there were security holes in Tesco Bank's design of its debit card, its financial crime controls, and its Financial Crime Operations Team, reports ZDNet.
Tesco was facing a much stiffer fine of £33 million from the FCA initially, but as it cooperated with the banking regulatory body the penalty was greatly reduced. Tesco has now paid the fine, reimbursed and apologised to customers. Perhaps even more importantly, Tesco Bank has since "significantly enhanced our security measures to ensure that our customers' accounts have the highest levels of protection," said Gerry Mallon, Tesco Bank chief executive.