Meta has faced a fine of €251 million (approximately $263 million) from the European Union over a Facebook security breach that impacted millions of users—a breach the company revealed in September 2018.
The fine was imposed on Tuesday by Ireland’s Data Protection Commission (DPC) as part of its enforcement of the General Data Protection Regulation (GDPR) within the EU. Although this penalty is not the largest fine Meta has received under GDPR since its introduction over five years ago, it remains a significant sanction for a single security breach.
The incident dates back to July 2017, when Facebook launched a video upload feature that included a “View as” option, allowing users to see how their profile appeared to others.
A flaw in this feature enabled malicious individuals to use it alongside Facebook’s “Happy Birthday Composer” to generate a user token, granting them full access to that user’s profile. This token could then be utilized to exploit the same feature on other accounts, leading to unauthorized access to numerous profiles and their data, as reported by the DPC.
From September 14 to September 28, 2018, the DPC indicated that unauthorized users employed scripts to take advantage of this vulnerability, logging into around 29 million Facebook accounts worldwide, approximately 3 million of which were situated in the EU/European Economic Area.
The breach compromised personal data of Facebook users, including their full names, email addresses, phone numbers, locations, job titles, birthdates, religious beliefs, gender, timeline posts, group memberships, and information on their children.
The extensive range of affected personal data likely contributed to the size of the fine.
Two Enforcement Decisions
On Tuesday, the Irish regulator published its final outcomes from two investigations into the 2018 security breach. One decision pertains to Meta’s breach notification, which, as required by GDPR, should have provided timely and detailed reports of significant security incidents. The other decision focuses on regulations regarding data protection by design and by default.
In both instances, the DPC concluded that Meta violated GDPR guidelines.
Here’s the breakdown of the total fines:
Meta was fined €11 million related to the first decision, as the DPC found that the company’s breach notification lacked critical information that it should have included. The DPC also noted that Meta did not adequately document the breach details nor the corrective actions taken.
Additionally, Meta received a €240 million fine regarding the second decision, wherein the DPC determined that the company failed to uphold GDPR obligations concerning data protection by design, as it lacked sufficient safeguards against unintended data processing.
Graham Doyle, deputy commissioner of the DPC, commented in a statement: “This enforcement illustrates how neglecting to incorporate data protection measures throughout the design and development cycle can expose individuals to significant risks and harms, jeopardizing their fundamental rights and freedoms.”
He further stated that “Facebook profiles often contain sensitive information relating to religious or political beliefs, sexual orientation, and other matters that users may prefer to disclose only in specific contexts. The vulnerabilities leading to this breach created a serious risk of misuse of such data.”
Another important aspect of this ruling reveals that no objections to Ireland’s draft decision were raised by peer regulatory authorities under the DPC’s two commissioners, Dr. Des Hogan and Dale Sunderland, who took office earlier this year following Helen Dixon.
The DPC expressed appreciation for the cooperation and support it received from its peer EU/EEA supervisory authorities during this case.
During Dixon’s tenure, critics accused the DPC of consistently under-enforcing GDPR against Meta and other tech giants, with numerous draft decisions challenged by peer authorities. Enforcements against Meta were often plagued by lengthy disputes, some requiring binding decisions from the European Data Protection Board to resolve.
Therefore, it is significant that this enforcement against Meta—which the DPC stated was submitted as a draft decision for the GDPR cooperation mechanism in July 2024—has proceeded without any issues.
In response to the penalty, Meta spokeswoman Emily Westcott issued a statement via email, mentioning, “This ruling pertains to an incident from 2018. We acted swiftly to rectify the issue upon its identification and proactively informed those affected as well as the Irish Data Protection Commission. We implement a comprehensive array of industry-leading measures to safeguard users across our platforms.”
In September, the DPC announced another penalty against Meta for a 2019 security breach, imposing a €91 million fine for an incident where “hundreds of millions” of user passwords were found stored in plaintext on its servers.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
