Meta has been fined €251M ($263M) for a 2018 data breach affecting millions in the EU, marking another penalty for violating privacy laws.
The Irish Data Protection Commission (DPC) fined Meta €251 million ($263M) for a 2018 data breach impacting 29 million Facebook accounts.
The categories of personal data affected included: user’s full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member; and children’s personal data.
Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of the users, it allows users to see how others see their profile.
The DPC fined Meta €251M for GDPR violations, citing insufficient breach notifications (€8M), poor breach documentation (€3M), design flaws (€130M), and default data protection failures (€110M).
By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
The hackers did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said.
We now know that fewer people were impacted than we originally thought,” said Facebook vice president of product management Guy Rosen in a conference call.
The DPC found that MPIL had infringed these provisions, reprimanded MPIL, and ordered it to pay administrative fines of €110 million.
This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms.