Ireland imposes a €251M fine on Meta for a massive data breach on Facebook

The Irish Data Protection Commission (DPC) has imposed a new fine on Meta, this time due to a breach of personal data affecting 29 million Facebook accounts worldwide, of which 3 million were located in the EU and/or European Economic Area.

The fine, totaling €251 million ($263,51 million), is the result of an investigation that began in 2018, following Meta’s report of a data leak involving Facebook profiles.

Causes of the breach

The source of the vulnerability that led to the massive data leak was the introduction of the “View As” feature on Facebook in July 2017. This feature allowed users to see their own Facebook page as another user would and included a video-uploading tool.

However, the video uploader generated a user token with full permissions to access a Facebook profile, allowing someone to use that token to exploit the same set of features on other accounts and gain access to them and their data. That is exactly what happened.

Between September 14 and 18, 2018, unauthorized individuals exploited this security flaw and accessed 29 million Facebook accounts globally, about 3 million of which belonged to users from the European Union and/or the European Economic Area.

As noted by the DPC, the categories of personal data exposed included sensitive information such as: the user’s full name, email address, phone number, location, workplace, date of birth, religion, gender, timeline posts, groups a user was a member of, and children’s personal data.

Once Meta Platforms Ireland Limited (MPIL), the tech company’s subsidiary in Ireland, became aware of the issue, it reported it to the DPC. The company also fixed the security breach shortly after discovering it.

Final decision and sanctions

Finally, the Data Protection Commissioners, Dr. Des Hogan and Dale Sunderland, presented the decisions following the investigation. These include “a series of reprimands,” as well as the order to pay four administrative fines with a total combined value of €251 million.

The violations detected during the investigation and their corresponding fines are as follows:

• Article 33(3) of the GDPR: When notifying the breach, Meta did not include all the information it could and should have included. Therefore, it receives an administrative fine of **€8 million**.
• Article 33(5) of the GDPR: Meta did not document the facts related to each breach and the measures taken to address them in such a way that the Supervisory Authority could verify compliance. For this, the social media platform created by Mark Zuckerberg, has been fined €3 million.
• Article 25(1) of the GDPR: Meta violated this provision by not ensuring data protection principles in the design of processing systems. For this, it receives administrative fines amounting to €130 million.
• Article 25(2) of the GDPR: Meta failed to fulfill its obligations as a data controller, which should have ensured that only the necessary personal data for specific purposes were processed. It has been reprimanded with administrative fines amounting to €110 million.

Graham Doyle, Deputy Commissioner of the DPC, stated: “This enforcement action highlights how failing to incorporate data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to people’s fundamental rights and freedoms.