…As North Korean hackers accused of stealing millions from global banks***
The Irish Data Protection Commission has opened a formal investigation into a data breach that affected nearly 50m Facebook accounts, which could result in a fine of up to $1.63bn.
The breach, which was discovered by Facebook engineers on Tuesday 24 September, gave hackers the ability to take over users’ accounts. It was patched on Thursday, the company said.
“The investigation will examine Facebook’s compliance with its obligation under the General Data Protection Regulation (GDPR) to implement appropriate technical and organisational measures to ensure the security and safeguarding of the personal data it processes,” the commission said in a statement on Wednesday.
The commission regulates Facebook’s adherence to GDPR, a European law that strengthens the privacy protections of individuals and introduces harsh penalties for companies that fail to protect user data.
The commission noted that Facebook had informed the commission that its internal investigation was continuing and that the company continued “to take remedial actions to mitigate the potential risk to users”.
“We have been in close contact with the Irish Data Protection Commission since we have become aware of the security attack and will continue to cooperate with their investigation,” said a Facebook spokeswoman.
Shortly after the Irish Data Protection Commission announced its investigation, the Spanish Data Protection Agency announced it would collaborate on the investigation to protect the rights of Spanish citizens.
The security breach is believed to be the largest in Facebook’s history and is particularly egregious because the hackers stole “access tokens”, a digital security key that allows users to stay logged into Facebook over multiple browsing sessions without having to enter their password each time. When an attacker has this token they can take full control of a victim’s account, including logging into third-party applications that use Facebook Login.
The breach comes at time when Facebook is under heavy scrutiny over issues including foreign interference in elections, its role in spreading misinformation and hate speech, and privacy.
Facebook announced the breach in a blogpost on Friday, saying it was taking the issue “incredibly seriously”. Over the weekend the commission said it was “concerned that this breach was discovered on Tuesday and affects millions of users”.
Facebook was “unable to clarify the nature of breach and risk” to users at that point, the commission said, adding that it was pushing the company to “urgently clarify these matters”.
Rowenna Fielding, a senior data protection lead at Protecture Limited, said: “Facebook should have tested the ‘view as’ function with a ‘what could an attacker do with this’ mindset and they either didn’t, or didn’t care about the gaping hole.”
In the meantime, a hacking group linked to the North Korean regime is accused of stealing hundreds of millions of dollars by infiltrating the computer systems of banks in at least 11 countries since 2014.
A report by the American cybersecurity firm FireEye described the group — which it dubbed APT38 — as “a large, prolific operation with extensive resources” and warned that it “remains active and dangerous to financial institutions worldwide.”
The document says APT38’s initial operations targeted banks in Asian countries — including Vietnam, Malaysia and Taiwan — where North Korea had experience in money laundering, but then expanded into such far-flung countries as Brazil, Turkey, Mexico and the United States.
In all, FireEye says, APT38 has attempted to steal $1.1 billion, and based on the data it can confirm, has gotten away with hundreds of millions in dollars. It has used malware to insert fraudulent transactions in the Society for Worldwide Interbank Financial Telecommunication or SWIFT system that is used to transfer money between banks. Its biggest heist to date was $81 million stolen from the central bank of Bangladesh in February 2016. The funds were wired to bank accounts established with fake identities in the Philippines. After the funds were withdrawn they were suspected to have been laundered in casinos.
The FireEye report was made public one day after the U.S. Department of Homeland Security warned of the use of malware by Hidden Cobra, the federal government’s byword for North Korea hackers, in fraudulent ATM cash withdrawals from banks in Asia and Africa. It said that Hidden Cobra was behind the theft of tens of millions of dollars from teller machines in the past two years. In one incident this year, cash had been simultaneously withdrawn from ATMs in 23 different countries, it said.
North Korea, which prohibits access to the world wide web for virtually all its people, has previously denied involvement in cyberattacks, and attribution for such attacks is rarely made with absolute certainty. It is typically based on technical indicators such as the Internet Protocol, or IP, addresses that identify computers and characteristics of the coding used in malware, which is the software a hacker may use to damage or disable computers.
This activity has been taking place against the backdrop of a dramatic diplomatic shift as Kim Jong Un has opened up to the world. He has held summits with South Korean President Moon Jae In and with President Trump, who hopes to persuade Kim to relinquish the nuclear weapons that pose a potential threat to the U.S. homeland. Tensions on the divided Korean Peninsula have dropped and fears of war with the U.S. have ebbed. Trump this weekend will dispatch his top diplomat, Mike Pompeo, to Pyongyang for the fourth time this year to make progress on denuclearization.
But North Korea has yet to take concrete steps to give up its nuclear arsenal, so there’s been no let-up in sanctions that have been imposed to deprive it of fuel and revenue for its weapons programs, and to block it from bulk cash transfers and accessing the international banking system.
Sandra Joyce, FireEye’s head of global intelligence, said that while APT38 is a criminal operation, it leverages the skills and technology of a state-backed espionage campaign, allowing it to infiltrate multiple banks at once and figure out how to extract funds. On average, it dwells in a bank’s computer network for 155 days to learn about its systems before it tries to steal anything. And when it finally pounces, it uses aggressive malware to wreak havoc and cover its tracks.
Guardian UK with additional report from Fox