Skip to content

Irish data protection slaps Meta with €251 fine for 2018 data breach

  • by
  • 3 min read

The Irish Data Protection Commission (DPC) has announced its final decisions following extensive investigations into Meta Platforms Ireland Limited (MPIL), triggered by a significant data breach reported in September 2018. The breach, which exposed personal data from approximately 29 million Facebook accounts worldwide — including three million within the EU/EEA — resulted in administrative fines totalling €251 million against the social media giant.

The 2018 breach stemmed from exploiting user tokens, unique identifiers that grant access to platform features and personal data. Unauthorised third parties leveraged a vulnerability in Facebook’s ‘View As’ feature and associated video upload tool.

The flaw allowed attackers to obtain user tokens that granted full access to user profiles. Over two weeks in September 2018, hackers exploited this vulnerability to access sensitive personal data, including names, email addresses, phone numbers, locations, religion, workplaces, and even children’s information.

After observing unusual video upload activity, Facebook’s security team discovered the breach and disabled the affected functionality. Meta was fined €8 million under Article 33(3) of the General Data Protection Rules for not including all required information in its breach notification.

An additional €3 million fine was levied because the company was found to have inadequately documented the beach and its remediation effort, hindering regulatory verification.

The DPA also imposed two additional fines: €130 million for Meta’s failure to integrate robust data protection principles into its system design and €110 million for not ensuring that, by default, only necessary personal data was processed for specific purposes.

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” said DPC Deputy Commissioner Graham Doyle.

Recently, Meta settled a lawsuit with the Australian government, announcing an enforceable undertaking of  A$50 million ($31.85 million). The lawsuit stemmed from the Cambridge Analytica scandal, where the firm collected data of millions of Facebook users without their consent.

As part of the settlement, Meta will establish a payment scheme for affected Australian users overseen by an independent third-party administrator.

In the News: Fake captcha scam delivers Lumma Stealer in large-scale campaign

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>