Ireland’s Data Protection Commission (DPC) has imposed a hefty €251 million fine on Meta Platforms Inc. for a 2018 data breach that compromised the personal information of 29 million Facebook users. This penalty is part of ongoing enforcement of the EU’s GDPR regulation, under which Meta has faced multiple fines for privacy violations.
The 2018 Cyberattack
The breach occurred in September 2018 when hackers exploited a vulnerability in Facebook’s “View As” feature. This tool allowed users to view their profile as others would see it but contained a flaw that attackers manipulated to steal user access tokens.
Access tokens are snippets of code enabling users to stay logged into websites securely. Hackers used an automated script to extract these tokens rapidly, which allowed them to access personal data such as names, birth dates, and recent posts. Meta detected the intrusion on 14 September 2018 and took action to block it shortly thereafter.
GDPR Violations and Fines
The DPC ruled that Meta had failed to adequately protect user data, violating GDPR’s stringent data protection requirements. Additionally, the company fell short in meeting cyberattack disclosure obligations.
The €251 million fine was broken into three parts:
Data Protection Failures (€130 Million): Meta did not implement robust data protection principles, leaving its systems vulnerable.
Excessive Data Storage (€110 Million): The company retained more user information than necessary, contravening GDPR’s “data minimisation” principle.
Documentation and Disclosure Lapses (€11 Million): Meta failed to fully document the attack and its remediation efforts. It also omitted critical details in its breach notification to regulators.
A History of GDPR Breaches
This is not the first time Meta has faced regulatory action from the DPC. In a prior case, the company was fined €91 million for storing hundreds of millions of account passwords in unencrypted formats. These repeated penalties highlight ongoing concerns about the company’s adherence to GDPR requirements.
Meta’s Responsibility Under GDPR
GDPR, implemented in 2018, requires tech companies operating in the EU to store only the minimum necessary personal data, secure that data with robust measures, and promptly disclose breaches. In this instance, the DPC determined that Meta’s actions fell short on all three fronts, leading to the substantial fine.
The Bigger Picture
This latest penalty underscores the increasing scrutiny on major tech firms over data privacy. As organisations like Meta continue to face regulatory action, the importance of compliance with GDPR and similar regulations remains paramount.
With the DPC taking a firm stance, businesses must prioritise robust data protection strategies to avoid hefty fines and reputational damage.