Clement Brako Akomea Table of Contents
Meta Fined for Facebook Data Breach: Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has been fined €251 million by the Irish Data Protection Commission (DPC) for a 2018 Facebook data breach that exposed the personal data of millions of users.
This significant penalty highlights the consequences of failing to uphold stringent privacy standards outlined under the General Data Protection Regulation (GDPR).
The breach, caused by a flaw in Facebook’s “View As” feature, allowed attackers to gain access to 29 million accounts worldwide, including 3 million within the European Union (EU).
This latest fine is part of a broader trend of heightened scrutiny and enforcement actions against Meta for privacy violations.
Key Takeaway to Meta Fined for Facebook Data Breach
- Meta’s €251 million fine underscores the critical need for organizations to ensure robust data protection mechanisms to comply with GDPR.
The 2018 Facebook Data Breach
The 2018 Facebook data breach stemmed from a vulnerability in the platform’s “View As” feature, introduced in July 2017. This feature allowed users to see how their profiles appeared to others.
However, attackers exploited it to obtain account access tokens, effectively granting them unauthorized access to user accounts.
Between September 14 and 28, 2018, malicious actors used scripts to exploit this flaw, gaining access to the profiles and personal data of 29 million accounts globally. This included sensitive information such as:
| Data Categories Impacted |
|---|
| Full names |
| Email addresses |
| Phone numbers |
| Locations |
| Places of work |
| Dates of birth |
| Religion |
| Gender |
| Timeline posts |
| Membership in groups |
| Children’s personal data |
GDPR Violations and €251 Million Fine
The DPC identified multiple breaches of GDPR by Meta, including:
- Incomplete Breach Notification
- Meta failed to provide full details of the breach in its notification to the DPC.
- Inadequate Documentation
- The company did not adequately document the breach, preventing the supervisory authority from verifying compliance.
- Flaws in System Design
- Meta failed to incorporate data protection principles into its system design and development.
- Excessive Data Processing
- The company processed more personal data than necessary for its operations.
These violations resulted in a substantial €251 million fine, emphasizing the importance of embedding data protection at every stage of system development.
Broader Implications for Meta
This isn’t Meta’s first encounter with significant fines for privacy breaches. Earlier in September 2024, the DPC fined the company €91 million for a 2019 incident involving the storage of users’ passwords in plaintext.
Additionally, Meta recently agreed to a $31.5 million settlement with the Australian Information Commissioner over the misuse of user data during the Cambridge Analytica scandal.
This shows a consistent pattern of privacy missteps and enforcement actions against the tech giant.
Mitigation Efforts and Recommendations
Meta has since taken steps to address the 2018 breach, including:
- Removing the “View As” feature.
- Strengthening internal security protocols.
- Improving transparency in reporting and documenting breaches.
Organizations must learn from this incident by prioritizing:
| Key Steps for Data Protection |
|---|
| Conducting regular security audits |
| Implementing data minimization practices |
| Embedding privacy principles into design |
| Training employees on GDPR compliance |
About Meta
Meta Platforms is a leading technology company that operates popular platforms like Facebook, Instagram, WhatsApp, and Threads. It serves billions of users globally, making data protection a critical aspect of its operations.
Rounding Up
The Meta fine for Facebook data breach incident serves as a wake-up call for organizations worldwide. With GDPR enforcement becoming increasingly stringent, companies must ensure robust data protection measures to avoid hefty fines and reputational damage.
The €251 million penalty not only highlights Meta’s failure to safeguard user data but also underscores the broader risks associated with inadequate privacy practices.
FAQs
What caused the 2018 Facebook data breach?
- A flaw in the “View As” feature allowed attackers to gain unauthorized access to user accounts.
What data was compromised in the breach?
- Personal information, including full names, email addresses, phone numbers, and more, was exposed.
What is GDPR, and how did Meta violate it?
- GDPR is a European Union regulation for data protection. Meta violated its principles by failing to secure data, document breaches adequately, and minimize data processing.
Has Meta taken steps to prevent future breaches?
- Yes, Meta has removed the vulnerable feature and strengthened its security protocols.
