Meta has been fined €251 million ($263 million) by Ireland’s Data Protection Commission (DPC) for a 2018 Facebook security breach that exposed the personal data of nearly three million users in the European Union.
The breach stemmed from vulnerabilities in Facebook’s “View As” feature, allowing hackers to exploit the platform and gain unauthorized access to user profiles. The fine, issued under the EU’s General Data Protection Regulation (GDPR), reflects Meta’s failure to uphold essential data protection standards.
The breach was traced back to a bug introduced in July 2017 when Facebook implemented a video upload feature linked to the “View As” function. Malicious actors combined this with the “Happy Birthday Composer” feature to generate user tokens, granting full access to affected accounts. Exploiting this vulnerability between September 14 and September 28, 2018, hackers accessed approximately 29 million accounts globally, including 3 million in the EU.
The exposed data included sensitive personal information such as full names, email addresses, phone numbers, dates of birth, locations, religious affiliations, and children’s data. According to the DPC, the broad scope of compromised data significantly influenced the scale of the penalty.
Two Investigations and GDPR Violations
The DPC conducted two inquiries into Meta’s actions surrounding the breach. The first focused on Meta’s breach notification, which under GDPR requires prompt and thorough disclosure. The second examined Meta’s compliance with GDPR principles of data protection by design and default.
Findings revealed multiple violations:
- Meta failed to provide sufficient details in its breach notification and did not fully document the incident.
- The company lacked adequate safeguards to prevent unauthorized data processing, violating data protection by design principles.
As a result, Meta was fined €11 million for the first violation and €240 million for the second. DPC Deputy Commissioner Graham Doyle emphasized the risks posed by insufficient data protection measures, stating that vulnerabilities like this create serious risks to individuals’ rights and freedoms.
In a statement, Meta responded, “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified and informed both affected users and the Irish Data Protection Commission. We have since implemented a wide range of industry-leading security measures.”
This fine is not Meta’s first encounter with GDPR enforcement. Earlier in 2024, the DPC fined Meta €91 million for another data breach involving unencrypted password storage. Globally, Meta also settled a $725 million lawsuit in the U.S. related to the Cambridge Analytica scandal and paid $31.7 million in Australia for privacy violations.
The penalty reflects an evolving regulatory landscape for tech giants, as authorities push for stricter enforcement of data protection laws. While Meta has faced criticism for its past handling of user data, this decision underscores the growing emphasis on accountability and compliance in protecting digital privacy.
Featured Image courtesy of Cheng Xin/Getty Images
Follow us for more tech news updates.