Meta Platforms, the parent company of Facebook, Instagram, WhatsApp and Threads, was fined 251 million euros (about $263 million) for a data breach in 2018 that affected millions of users in the block. the latest financial hit the company has been found guilty of violating strict privacy laws.
The Irish Data Protection Commission (DPC) said the data breach affected around 29 million Facebook accounts worldwide, of which around 3 million are located in the European Union and the European Economic Area (EEA). It should be noted that initial estimates by the tech giant put the total number of affected accounts at 50 million.
The incident that the social network company opened back in September 2018 arose from a bug that was introduced into Facebook’s systems in July 2017, allowing unknown threat actors to use the “View As” feature, which allows a user to see their profile as someone else.
Ultimately, this allowed for account access tokens, which allowed attackers to hack victims’ accounts. Categories of personal data affected by the breach included users’ full names, email addresses, phone numbers, locations, places of employment, dates of birth, religion, gender, timeline posts, groups they were a member of, and personal children’s data.
“A user using the (View As) feature can invoke the video downloader in conjunction with Facebook’s Happy Birthday Composer feature,” DPC said. said.
“The user who uploaded the video would have created a fully authorized user token that gave them full access to that other user’s Facebook profile. The user could then use that token to use the same combination of features on other accounts, allowing them to access multiple users’ “profiles and the data available through them.”
The DPA also said that between September 14 and 28, 2018, attackers used scripts to exploit the flaw and gained unauthorized access to 29 million Facebook accounts worldwide. Meta has since removed the functionality that caused the problem.
Fines are imposed for breaching four different points of the GDPR data privacy laws, viz Article 33(3), Article 33(5), Article 25(1) and Article 25(2) –
- Failure to include in the infringement notice all the information it could and should have included
- Failure to document the facts surrounding each violation, the steps taken to address them, and do so in a manner that allows the Regulatory Authority to verify compliance
- Failure to ensure compliance with data protection principles when developing processing systems
- Failure to fulfill your obligations as a controller to ensure that only personal data necessary for specific purposes is processed
“This enforcement action highlights how failure to comply with data protection requirements throughout the design and development cycle can expose people to very serious risks and harms, including risks to people’s fundamental rights and freedoms,” said DPC Deputy Commissioner Graham Doyle.
“By allowing the unauthorized disclosure of profile information, the vulnerabilities behind this breach created a serious risk of misuse of these types of data.”
This is the second such fine issued by the DPC against Meta, which was imposed by a A fine of €91 million ($101.5 million). back in September 2024. for a security issue in 2019 that involved inadvertently storing user passwords in clear text.
The development comes after Meta also agreed to a A$50 million ($31.5 million) payment program to settle with the Office of the Australian Information Commissioner (OAIC) over the misuse of personal information users for political profiling and ad targeting as a result of the The Cambridge Analytica scandal of 2018.
The scheme is open to individuals who had a Facebook account between 2nd November 2013. until December 17, 2015; were in Australia for more than 30 days during that period; and either installed the This is Your Digital Life app or were Facebook friends with the person who installed the app.
They say that 53 Australian Facebook users installed the app, and 311,074 Facebook users could request their personal information as friends of those who downloaded it.
The settlement offers two levels of compensation: a basic payment to those who have experienced general concern or embarrassment because of the leak, and a specific payment to those who can demonstrate that they have suffered loss or damage. The payment program is expected to officially accept applications in the second quarter of 2025.
“It represents a significant resolution to the privacy concerns raised in connection with the Cambridge Analytica case, gives potentially affected Australians the opportunity to seek redress through the Meta payment program and ends the long-running legal process,” said Australian Information Commissioner Elizabeth Tidd. said.
