Meta was fined US$263 million over a 2018 security breach that affected around 3 million EU users.
Meta has been fined €251 million (about $263 million) in the European Union over a Facebook security breach affecting millions of users that the company disclosed back last year. September 2018.
The penalty, issued on Tuesday by Ireland’s Data Protection Commission (DPC) – which enforces the bloc’s General Data Protection Regulation (GDPR) – is far from a punishment. The largest fine was imposed on GDPR Meta. The system has been in effect for more than five years, but it is known for being a significant penalty for a single security incident.
The related breach dates back to July 2017 when Facebook, as the company was known at the time, rolled out a video upload function that included a “View As” feature that allowed a user to see their Facebook page as other people would see it. Another user.
A design error allowed users to use the feature to call the video uploader in conjunction with Facebook’s “Happy Birth Day Composer” feature to create a fully permissioned user token that gave them full access to that other user’s Facebook profile. They can then use the token to exploit the same set of features as other accounts, gaining unauthorized access to multiple users’ personal files and data, according to the DPC.
Between September 14 and September 28, 2018, the watchdog said that unauthorized people used scripts to exploit this Facebook vulnerability and gained the ability to log in as the account holder to nearly 29 million Facebook accounts globally – about 3 million of which were located in… European Union. /EEA, which means it falls within the enforcement powers of the DPC.
The categories of personal data affected by the breach included the full names of Facebook users; Email addresses; telephone numbers; location; Places of work Dates of birth; religion; sex; Posts on timelines. The groups they were members of; Personal data of children.
The widespread erasure of affected personal data is likely to have an impact on the size of the fine.
Two executive decisions
The Irish regulator on Tuesday issued a final decision on two investigations it opened into the 2018 incident: one decision covers Meta’s breach notification, as GDPR requires prompt and comprehensive reporting of major security incidents – and the second relates to data protection by design and default rules. . .
In both cases, the Data Protection Commission found that Meta violated the bloc’s GDPR.
The full penalty breaks down as follows: Meta was fined €11 million in relation to its first decision, as the DPC found that Meta’s infringement notice did not include all the information it “could and should have”; The company also did not fully document the incidents of the violation and the steps taken to address the problem.
Furthermore, Meta was fined €240 million in relation to the second decision where the DPC asserted that the company violated the GDPR principles of data protection by design as it did not have appropriate measures in place to protect people’s data from inadvertent processing.
Commenting, DPC Deputy Commissioner Graham Doyle said: “This enforcement action highlights how failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including compromising fundamental and fundamental rights.” Individual freedoms.
“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sex life or sexual orientation, and similar matters that a user may wish to disclose only in certain circumstances. By allowing unauthorized disclosure For profile information, the vulnerabilities behind this hack created a high risk of these types of data being misused.
Another notable element of implementation is under DPC Commissioners, Dr Des Hogan and Dale Sunderland – who took over from (previously only) Commissioner Helen Dixon. Earlier this year – Is that no objections were raised to the Irish draft resolution by counterpart authorities.
“The DPC is grateful for the cooperation and assistance provided by its counterpart EU/EEA supervisory authorities in this case,” the regulator wrote in a press release.
Critics of the DPC under Dixon accused the regulator of routinely downplaying the application of the GDPR to Meta And other technology giants. Many of its draft decisions on major tech companies at the time were disputed by its peers. A number of enforcement actions against Meta specifically entailed very lengthy dispute procedures – some of which required binding decisions from the European Data Protection Board to finalize the process.
So, it’s worth noting that this latest enforcement against Meta, which the DPC says was submitted as a draft decision to the GDPR’s cooperation mechanism in July 2024, has passed unscathed.
When reached for a response to the penalty, Meta spokeswoman Emily Westcott emailed a statement in which the company wrote: “This decision relates to an incident that occurred in 2018. We took immediate action to fix the issue as soon as we identified it, and proactively notified those affected as well as the Protection Committee. Irish Data We have a wide range of industry-leading measures to protect people across our platforms.
Back in Septemberthe Data Protection Commission (DPC) issued another decision against Meta in relation to a 2019 security breach – in that case the company was fined €91 million in relation to an incident in which “hundreds of millions” of users’ passwords were stored in plain text on its servers.
