Meta Platforms Ireland Limited (MPIL), a subsidiary of the global tech giant Meta, has been fined €251 million by the Irish Data Protection Commission (DPC) over a data breach affecting 29 million Facebook users in 2018.
This breach compromised sensitive personal information, including details about users’ identities, locations, and personal preferences.
The Data Breach: What Happened?
In September 2018, Meta reported the incident to the Irish regulator, revealing that attackers had exploited vulnerabilities in Facebook’s “View As” feature, which lets users preview their profiles as others see them.
Using automated scripts, unauthorised individuals were able to manipulate user tokens, gaining access to accounts and sensitive data.
The breach exposed personal information such as full names, email addresses, phone numbers, locations, workplaces, dates of birth, religious affiliations, and posts. Particularly troubling was the exposure of children’s data.
While Meta quickly resolved the issue, the DPC’s investigation found gaps in how the company documented and responded to the breach under the EU’s General Data Protection Regulation (GDPR).
The DPC identified multiple GDPR violations and issued reprimands alongside the financial penalty. Two specific infringements stood out:
- Breach Notification Failures: Meta failed to provide complete details in its breach notification, as required by GDPR Article 33(3). This led to an €8 million fine. The company also neglected to document the incident thoroughly, resulting in an additional €3 million penalty.
- Inadequate System Design: Under GDPR Article 25(1) and 25(2), Meta was found to have overlooked data protection principles during the design of its systems, leaving users vulnerable. This oversight resulted in €130 million and €110 million fines, respectively.
Graham Doyle, deputy commissioner of the DPC, stressed the risks caused by such breaches, noting that Facebook profiles often contain sensitive information such as political views, religious beliefs, and sexual orientation. The exposure of these details could lead to significant misuse, affecting individuals’ privacy and safety.
This penalty is added to current enforcement against Meta by European regulators. Since GDPR’s introduction in 2018, Meta has faced nearly €3 billion in fines, including a record €1.2 billion penalty in 2023. The company has revealed its intention to appeal the latest ruling.
While this fine points to Europe’s focus on protecting personal data, similar investigations is growing in other regions.
In July 2024, Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) and Nigeria Data Protection Commission (NDPC) jointly fined Meta $220 million for privacy violations and abuse of dominance.
These findings accused the company of unauthorised data transfers, cross-border storage without compliance, and discriminatory practices.
Comments 1