Meta Faces €251 Million Fine for 2018 Data Breach Affecting 29 Million Accounts
Meta Platforms, the tech giant behind Facebook, Instagram, WhatsApp, and Threads, has been handed a significant penalty of €251 million (approximately $263 million USD) by the Irish Data Protection Commission (DPC) for a 2018 data breach that compromised the personal information of millions of users. This breach, which affected an estimated 29 million Facebook accounts globally, highlights the serious consequences of failing to implement robust data protection measures. Among the affected accounts, approximately 3 million belonged to users within the European Union (EU) and the European Economic Area (EEA), underscoring the global scale of the incident.
Notably, Meta’s initial estimates of the breach had pegged the number of impacted accounts at 50 million, although the revised figures eventually confirmed a slightly lower, yet still staggering, total.
The Breach: A Flaw in Facebook’s Systems
The breach originated from a bug introduced into Facebook’s systems in July 2017. This flaw affected the “View As” feature, a tool that allows users to preview their profiles as they appear to others. Exploiting this vulnerability, malicious actors were able to gain unauthorized access to user accounts by obtaining account access tokens, digital keys that bypass the need for a password and grant full access to user profiles.
The attackers’ activities exposed an alarming range of personal data, including full names, email addresses, phone numbers, locations, places of work, dates of birth, religions, genders, posts on timelines, group memberships, and even sensitive information about children. The scope of the breach demonstrated the potential for significant misuse of personal information.
Learn more about DELTA Data Protection Manager Courses: DELTA Academy & Consulting
In detailing how the vulnerability was exploited, the DPC explained, “A user making use of [the View As] feature could invoke the video uploader in conjunction with Facebook’s ‘Happy Birthday Composer’ facility. The video uploader would then generate a fully permissioned user token that gave them full access to the Facebook profile of that other user. A user could then use that token to exploit the same combination of features on other accounts, allowing them to access multiple users’ profiles and the data accessible through them.”
The breach occurred over a two-week period from September 14 to September 28, 2018, during which attackers reportedly employed automated scripts to exploit the flaw on a mass scale. Following the disclosure of the breach in September 2018, Meta took steps to remove the affected functionality from its platform.
GDPR Violations and the Fine
The DPC concluded that Meta violated multiple provisions of the General Data Protection Regulation (GDPR), resulting in the substantial fine. These violations included:
- Inadequate Breach Notification: Meta failed to include all relevant details in its breach notification to authorities, which delayed critical assessments and responses.
- Poor Documentation of the Incident: The company did not properly document the facts surrounding the breach or the steps taken to address it, hindering the Supervisory Authority’s ability to verify compliance.
- Design Failures in Data Protection: Meta did not incorporate data protection principles effectively into the design and development of its processing systems.
- Processing Excessive Personal Data: The company failed to ensure that only necessary personal data was processed for specific purposes, violating fundamental GDPR principles.
In response to the fine, DPC Deputy Commissioner Graham Doyle stated, that “this enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.
He further emphasized the gravity of the situation, noting that the vulnerabilities in Meta’s systems posed a severe risk of unauthorized exposure and misuse of sensitive data.
Every company needs a designated Privacy Manager! Learn more here: DELTA Academy & Consulting
Meta’s Troubling Track Record
This €251 million fine is not the first regulatory penalty Meta has faced. In September 2024, the DPC imposed a €91 million ($101.5 million USD) fine on the company for a 2019 incident involving the inadvertent storage of user passwords in plaintext—a basic and widely recognized security lapse.
Additionally, Meta has been involved in other high-profile data privacy scandals, including the misuse of user data for political profiling and targeted advertising. In Australia, the company agreed to a settlement program worth AU$50 million ($31.5 million USD) with the Office of the Australian Information Commissioner (OAIC). This case stemmed from the infamous Cambridge Analytica scandal, in which personal data was harvested without consent through the “This Is Your Digital Life” app. The settlement is set to provide compensation to affected Australian users who held a Facebook account between November 2013 and December 2015.
Implications for Data Protection
The fines and regulatory scrutiny against Meta underscore the increasing importance of data protection and privacy in today’s digital age. Companies handling personal data are expected to integrate stringent privacy measures into their systems from the outset, ensuring compliance with laws such as GDPR. The repercussions for failing to do so are severe, not just in financial terms but also in terms of reputational damage and loss of user trust.
Meta’s repeated violations demonstrate the need for sustained oversight and the implementation of stronger safeguards to protect user data. As regulatory authorities around the world continue to crack down on privacy breaches, businesses are being sent a clear message: the era of lax data protection is over.
The ripple effects of this enforcement action are likely to be felt across the tech industry, serving as a stark reminder of the responsibilities that come with collecting and processing personal data at scale.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com