Meta Fined €251M Over 2018 Data Breach Affecting 29M Users

Meta Fined €251M Over 2018 Data Breach Affecting 29M Users

Meta Platforms Fined €251 Million for Major 2018 Data Breach: What You Need to Know

Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has recently faced a hefty fine of €251 million (approximately $263 million) due to a significant 2018 data breach that compromised millions of user accounts. This latest financial penalty underscores Meta’s ongoing challenges in adhering to stringent privacy regulations, particularly within the European Union (EU) and European Economic Area (EEA).

The Irish Data Protection Commission (DPC) reported that the breach affected around 29 million Facebook accounts worldwide, with approximately 3 million of those accounts located within the EU and EEA. Initially, Meta estimated that up to 50 million accounts had been impacted. This breach originated from a bug introduced in July 2017, which allowed unauthorized individuals to exploit the "View As" feature, a function that lets users see their profiles as others would.

Details of the 2018 Data Breach

The data breach involved several critical vulnerabilities that allowed attackers to gain unauthorized access to user accounts. Here’s a breakdown of the key points:

  • Exploited Vulnerability: Attackers exploited the "View As" feature in conjunction with Facebook’s video uploader and "Happy Birthday Composer," generating access tokens that allowed them to infiltrate multiple accounts.
  • Personal Data Compromised: The breach resulted in the exposure of various personal information, including users’ full names, email addresses, phone numbers, locations, work details, dates of birth, religion, gender, and even children’s personal data.
  • Timeline of Events: The malicious activity occurred between September 14 and 28, 2018, ultimately impacting 29 million accounts. Meta has since removed the vulnerable functionality.

Regulatory Violations and Consequences

The DPC’s investigation revealed several violations of the General Data Protection Regulation (GDPR), including:

  1. Inadequate Breach Notification: Meta failed to provide all necessary information during its breach notification.
  2. Insufficient Documentation: The company did not adequately document the breach facts and remediation steps for supervisory authorities.
  3. Privacy by Design: Meta did not ensure that data protection principles were integrated into its processing systems.
  4. Data Minimization Failures: The company did not limit data processing to what was necessary for specific purposes.

Graham Doyle, DPC Deputy Commissioner, emphasized the serious risks to individuals due to these failures, stating that unauthorized exposure of profile information could lead to grave risks of data misuse.

Previous Fines and Ongoing Legal Issues

This recent fine is not an isolated incident for Meta. In September 2024, the company was fined €91 million ($101.5 million) for a separate security issue involving plaintext password storage. Additionally, Meta has agreed to a AU$50 million ($31.5 million) settlement related to the misuse of personal information for political profiling in the wake of the 2018 Cambridge Analytica scandal. This settlement will allow affected Australian users to apply for compensation starting in the second quarter of 2025.

Conclusion

The €251 million fine against Meta Platforms highlights the critical importance of data protection compliance in today’s digital landscape. As regulatory scrutiny intensifies, companies must prioritize user privacy and security.

Are you concerned about data privacy and how companies handle your information? Share your thoughts in the comments below or explore more articles on data protection trends and implications. For further reading, check out the Irish Data Protection Commission and the GDPR official website for more insights.

Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *