Meta, the parent company of Facebook, has been hit with a €251 million fine by Ireland’s Data Protection Commission (DPC) in response to a 2018 security breach that affected millions of users worldwide. The breach, disclosed in September 2018, was the result of a vulnerability that allowed unauthorized access to Facebook accounts and sensitive user data, including names, contact information, location, and even children’s personal data.
The breach occurred between September 14 and 28, 2018, impacting approximately 29 million Facebook users globally, with around 3 million of those users based in the European Union. A bug in the design of Facebook’s video upload feature, combined with the “Happy Birthday Composer” tool, allowed malicious actors to exploit the system and gain unauthorized access to user tokens. These tokens granted attackers full access to users’ profiles, which they could then use to compromise additional accounts. The breach not only affected personal data like users’ email addresses, phone numbers, and religious beliefs, but also exposed sensitive details, raising significant concerns about user privacy.
This fine is among several penalties Meta has faced under the European Union’s General Data Protection Regulation (GDPR), although it is not the largest one to date. In September, 2024, the social media giant was fined €91 million for GDPR Violations in User Password Breach.
It is significant, however, due to the scale of the breach and the severe risks it posed to users’ privacy. The DPC’s decision is based on two primary inquiries: one regarding Meta’s breach notification and another related to its failure to implement data protection measures by design and default. Both of these violations are considered breaches of GDPR.
The fine is broken down into two parts: €11 million for failing to notify the breach comprehensively, including incomplete documentation of the breach details, and €240 million for not ensuring that data protection principles were embedded in the design of Facebook’s systems. The DPC emphasized that the breach exposed individuals to serious risks and harms, including the misuse of sensitive data such as political views, sexual orientation, and other personal details. The failure to include proper safeguards to prevent such exposure could have led to significant consequences for the affected users.
In a statement, DPC deputy commissioner Graham Doyle highlighted that this enforcement action underscores the importance of embedding data protection requirements throughout the design and development phases of systems. By not doing so, Meta exposed users to serious risks to their fundamental rights and freedoms.
Meta has responded to the ruling, pointing out that the incident occurred over five years ago and that the company took immediate action to rectify the issue when it was discovered. The company also stated that it has implemented enhanced measures to protect user data and comply with industry standards. Despite this, the fine serves as a reminder to companies about the importance of maintaining robust data protection protocols, especially when handling sensitive user information.
