Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has been hit with a €251 million fine by the Irish Data Protection Commission (DPC) for a data breach that occurred in 2018. The breach, which impacted approximately 29 million Facebook accounts worldwide, including 3 million in the European Union, stemmed from a vulnerability in Facebook’s “View As” feature. The flaw allowed attackers to exploit account access tokens, which led to unauthorized access to users’ personal data. Initially, Meta had estimated that 50 million accounts were affected by the breach.
The DPC’s penalty comes after an investigation found that Meta violated four key provisions of the General Data Protection Regulation (GDPR). These violations included failing to provide complete breach notifications, not properly documenting the steps taken to remedy the breach, and not ensuring that data protection principles were integrated into system designs. The breach exposed sensitive personal information, including names, emails, phone numbers, dates of birth, locations, and even children’s data, posing significant risks to privacy and security.
The breach occurred between September 14 and 28, 2018, when malicious actors used scripts to exploit the vulnerability, allowing them to access multiple user accounts. The DPC emphasized that the breach could have had serious consequences, including the misuse of the exposed data. Meta has since removed the faulty functionality and has been working to enhance its security measures, but the fine underscores the importance of building in data protection requirements during system development to avoid such breaches.
This is the second major fine Meta has received this year. In September 2024, the DPC issued a €91 million penalty for a separate security issue in 2019 where Meta inadvertently stored users’ passwords in plaintext. Additionally, Meta has reached a settlement with Australian authorities regarding the misuse of user data for political profiling in the wake of the 2018 Cambridge Analytica scandal. These ongoing penalties reflect mounting scrutiny of Meta’s data privacy practices and the increasing regulatory pressure it faces across the globe.
