Meta has been fined €251 million (approximately $263 million) by Ireland’s Data Protection Commission (DPC) for a Facebook security breach disclosed in 2018. The incident, which affected millions of users globally, resulted in the unauthorised access of personal data, including the accounts of roughly three million users within the EU and European Economic Area (EEA).
The penalty, issued on Tuesday under the European Union’s General Data Protection Regulation (GDPR), is one of several fines the company has faced in recent years but remains significant as it addresses a single security incident.
The breach originated in July 2017, when the platform introduced a video upload feature that incorporated a 'View as' tool, allowing users to see how their profiles appeared to others. A design flaw enabled attackers to misuse the tool alongside the platform’s 'Happy Birthday Composer' feature, generating access tokens that provided full access to users’ profiles.
From 14 to 28 September 2018, attackers exploited this vulnerability using automated scripts, compromising around 29 million accounts globally. The compromised data included full names, email addresses, phone numbers, locations, places of work, dates of birth, religions, genders, timeline posts, group memberships, and even children’s personal data.
The scope of the data exposed likely influenced the size of the fine, which underscores the serious risks posed by the breach.
GDPR Violations
The DPC issued two decisions addressing Meta’s handling of the breach:
-
Breach Notification: The company was fined €11 million for failing to include all relevant information in its breach notification. The company also failed to fully document the facts and remedial steps taken.
-
Data Protection by Design: A €240 million fine was levied for Meta’s failure to implement sufficient data protection measures during the design and development of its platform, violating GDPR principles.
Commenting on the enforcement, DPC Deputy Commissioner Graham Doyle said, “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.”
Broader Implications
This ruling is notable as no objections were raised by other EU supervisory authorities to Ireland’s draft decision submitted in July 2024. Previously, the DPC had faced criticism under former commissioner Helen Dixon for perceived leniency towards the platform and other tech commpanies, with many of its draft decisions encountering disputes from peer regulators.
The ruling was overseen by two new commissioners, Dr Des Hogan and Dale Sunderland, who took over from Dixon earlier this year.
In a statement, the DPC said, “The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case.”
The fine follows another enforcement action in September, when the platform was fined €91 million by the DPC for storing hundreds of millions of users’ passwords in plaintext on its servers in a 2019 security lapse.
The latest sanction underscores the increasing regulatory scrutiny on Meta and other tech giants under the GDPR. While Meta has implemented measures to address past vulnerabilities, the fines reflect ongoing challenges in ensuring compliance with Europe’s strict data protection laws.