Meta Faces US$263 Million Fine for 2018 EU Data Breach

Meta Platforms has been fined €251 million (US$263 million) by the Irish Data Protection Commission (DPC) for a 2018 security breach that affected around 3 million users in the European Union (EU). The fine addresses violations of the General Data Protection Regulation (GDPR) and stems from Meta’s failure to implement sufficient data protection measures.

The decision consists of two enforcement rulings: one concerning Meta’s breach notification process and another for the company’s failure to comply with GDPR principles of data protection by design and default. 

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” stated Graham Doyle, DPC Deputy Commissioner, in a press release.

The 2018 breach occurred due to a vulnerability linked to Facebook’s “View as” feature, a tool that allowed users to view their profiles as others would see them. A bug in the feature, coupled with Facebook’s “Happy Birthday Composer” tool, enabled attackers to exploit the system and generate user tokens that provided full access to Facebook profiles and their associated data. The breach occurred between Sep. 14 and Sep. 28, 2018, during which scripts were used to access approximately 29 million accounts globally, including 3 million in the EU.

Data compromised in the breach included users’ full names, email addresses, phone numbers, locations, employment details, dates of birth, gender, religious beliefs, group memberships, and posts.

The DPC’s final ruling includes two specific penalties:

1. Breach Notification Failures (€11 million): Meta was fined for not promptly and comprehensively reporting the breach as required under GDPR. The investigation found that Meta’s notification lacked complete information regarding the breach, including the facts of the incident and steps taken to address the issue.

2. Violation of Data Protection by Design (€240 million): The DPC determined that Meta failed to implement adequate measures to prevent unauthorized access to user data, violating GDPR’s core principle of data protection by design and default.

Regulatory Context and Enforcement

The decision marks a significant milestone for the DPC, particularly as it faced no objections from peer EU supervisory authorities during the GDPR cooperation mechanism process. This outcome, according to TechCrunch, contrasts with past criticisms of the DPC, which previously faced disputes over draft decisions involving Meta and other technology companies.

Under the leadership of Des Hogan and Dale Sunderland, Commissioners who take the final decision, the DPC issued its final decision after two inquiries into the 2018 incident. 

“This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission. We have a wide range of industry-leading measures in place to protect people across our platforms,” stated Emily Westcott, Meta’s spokeswoman.

Meta’s fine highlights the financial and reputational risks associated with non-compliance and underscores the increasing scrutiny faced by the technology companies, especially Big Tech, from European regulators. Additionally, the decision signals a more streamlined enforcement process under the DPC’s current leadership, as peer regulators in the EU raised no objections. 

In recent years, Meta has faced multiple fines under the GDPR. In September, as MBN previously reported, the DPC issued a separate US$101.5 million penalty related to a 2019 security breach in which millions of users’ passwords were stored in plaintext.