Another week, another security failure at Facebook. This week’s “bug” allowed the private photos of up to 6.8 million users to be improperly accessible to up to 1,500 different applications built by 876 different developers for nearly two weeks before the company noticed the security lapse and fixed it. Once again the company is merely “sorry this happened” but offering no monetary or other compensation to those users whose trust it violated. As Facebook racks up security failure after security failure, it raises the question of why users should continue to trust it with their data. Moreover, the company’s nearly two month wait to notify data protection authorities after it became aware of the breach, in spite of GDPR’s 72-hour notification requirement, reminds us that GDPR is far more limited than the public understands.
Facebook’s latest breach was a “bug” in its photo API that allowed third party applications to access a user’s private photographs without their permission. The bug was introduced in a software update on September 13 and the company first noticed and fixed the breach on the 25th. Yet, the company did not actually notify the affected users and the public until today, nearly three months later.