Meta has been fined €251m ($263m) by the Irish Data Protection Commission (DPC) for a massive 2018 data breach which impacted around 29 million Facebook accounts.
The incident in question arose between September 14-28 2018, when unauthorized individuals exploited a vulnerability in the social media platform’s “View As” feature, enabling them to log on as the account holder.
A wealth of account holder information was compromised, including full names, email addresses, phone numbers, locations, places of work, dates of birth, religion, gender, posts on timelines, groups of which the user was a member and children’s personal data.
The breach affected around three million accounts based in the EU.
The DPC said Meta had contravened Article 33 and 25 of the GDPR by:
- Not including a full breach notification at the time of the incident (fine: €8m)
- Failing to properly document the facts of each breach and steps taken to remedy them (€3m)
- Failing to follow data protection principles in the design of its processing systems (€130m)
- Failing to ensure that only persona data necessary for specific purposes was processed by default (€110m)
The Irish DPC said it will publish more details on its decision in due course. A draft version of the decision was shared according to the GDPR cooperation mechanism in September, and no objections were raised by its fellow EU supervisory authorities.
Read more on Meta fines: Meta Fined $400m in Ireland for Children's Privacy Breach
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” argued the DPC deputy commissioner, Graham Doyle.
“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorized exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
This is the latest in a long line of big GDPR fines for the social media giant.
Back in 2022, the Irish DPC levied a monetary penalty of €265m ($275m) on Meta after the personal details of 533 million Facebook users were leaked on a hacking website the year previous.
Image credit: Sergei Elagin / Shutterstock.com