Irish DPC fines Meta €251m over 2018 data breach that affected 3 million EU users

Facebook’s parent company Meta has been slapped with a €251 euro fine by Ireland’s Data Protection Commission for failing to prevent a data security incident in 2018 that affected almost 29 million Facebook accounts globally.

 

In September 2018, Facebook informed the Irish Data Protection Commission (DPC) that a bug in the “View As” feature enabled threat actors to access users’ profile information. Between 14 and 28 September 2018, threat actors exploited this vulnerability and gained log in access to approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA.

 

In a recent press release, DPC said that the vulnerability compromised the sensitive personal information of Facebook users, including their full names, email addresses, phone numbers, location, places of work, dates of birth, religion, gender, posts on timelines, groups of which a user was a member and children’s personal data.

 

According to the Commission, while the company notified the authority about the data security incident and promptly took corrective measures to fix the bug, the incident violated several GDPR guidelines, including incomplete breach notification details (€8M fine), poor documentation of breach facts/remedies (€3M fine), failure to embed data protection in system design (€130M fine) and failure to limit data processing to what’s necessary (€110M fine).

 

In a statement shared with the media, DPC Deputy Commissioner Graham Doyle, said, “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.

 

“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data,” he added.

 

Commenting on DPC’s decision, a Meta spokesperson said, “We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission. We have a wide range of industry-leading measures in place to protect people across our platforms.”  

 

So far, Meta has been fined almost 3 billion euros for breaches under the European Union’s General Data Protection Regulation (GDPR) introduced in 2018, including a whopping €1.2 billion in 2023 that the company has appealed.

 

The company said it will also appeal the recent decision and that it has a wide range of measures in place to protect users across its platforms.