Meta, the parent company of Facebook, has been fined €251 million by the European Union’s Data Protection Commission (DPC) for a 2018 security breach that compromised the personal data of approximately 29 million users worldwide, including 3 million within the EU. The breach involved the exploitation of vulnerabilities in Facebook’s “View As” feature, leading to unauthorized access to user profiles and sensitive information.
Key Points at a Glance:
- Significant Fine Imposed: The DPC has levied a €251 million fine on Meta for violations of the General Data Protection Regulation (GDPR) related to the 2018 data breach.
- Extent of the Breach: The security incident affected 29 million Facebook users globally, with about 3 million users based in the EU and European Economic Area.
- Exploited Vulnerability: Attackers exploited a flaw in the “View As” feature, allowing unauthorized access to personal data, including names, contact details, locations, and more.
- Meta’s Response: Meta promptly addressed the breach upon discovery and notified affected users and regulatory authorities. The company plans to appeal the DPC’s decision.
- Ongoing Regulatory Scrutiny: This fine contributes to nearly €3 billion in total penalties imposed on Meta under the GDPR since 2018, reflecting ongoing regulatory scrutiny of the company’s data protection practices.
In September 2018, Facebook identified a security vulnerability in its “View As” feature, which allows users to see how their profiles appear to others. This flaw enabled attackers to obtain access tokens—digital keys that keep users logged in without re-entering passwords—granting control over user accounts. The breach compromised personal information, including full names, contact details, locations, places of work, dates of birth, religions, genders, and children’s personal data.
Upon discovering the breach, Meta took immediate action to rectify the issue and informed both the affected users and relevant regulatory bodies, including the DPC. Despite these measures, the DPC’s investigation concluded that Meta had violated GDPR provisions, leading to the substantial fine. The DPC cited the unauthorized exposure of profile information as posing a significant risk of misuse, warranting the financial penalty.
Meta has expressed its intention to appeal the DPC’s decision. A company spokesperson stated, “We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission.” The spokesperson emphasized that Meta has implemented a wide range of measures to protect users across its platforms.
This fine adds to the series of penalties Meta has faced under the GDPR framework. Notably, in May 2023, the company was fined a record €1.2 billion for data transfer violations, a decision it is currently appealing. The cumulative fines underscore the EU’s stringent stance on data protection and the importance of robust security measures to safeguard user information.
The DPC’s enforcement actions highlight the critical need for companies to adhere to data protection regulations and implement comprehensive security protocols. As data breaches continue to pose significant risks to user privacy, regulatory bodies remain vigilant in holding organizations accountable for lapses in data security.
