Key Points
- EU privacy regulator fined Meta €251 million over a 2018 Facebook data breach.
- Hackers exploited Facebook’s “View As” feature bugs to steal access tokens. The breach affected 29 million accounts globally, including 3 million in Europe.
- Ireland’s Data Protection Commission found Meta violated GDPR rules. Meta fixed the issue promptly, informed users, and notified authorities.
- The company plans to appeal the decision, defending its response to the breach.
Facebook owner Meta was fined €251 million ($264 million) on Tuesday following two inquiries into a personal data breach. The European Union investigated a significant 2018 data breach that compromised millions of accounts. Ireland’s Data Protection Commission (DPC) issued the penalties. The DPC serves as Meta’s lead privacy regulator in the EU, and the company’s European headquarters are in Dublin.
The breach occurred when hackers exploited vulnerabilities in Facebook’s code, particularly in the “View As” feature, which allows users to see how their profiles appear to others. By leveraging three distinct bugs, attackers stole digital access keys, known as “access tokens,” from user accounts. These tokens controlled the affected accounts, enabling the attack to spread as hackers moved from one user’s Facebook friends to another.
When the breach was initially revealed, Facebook estimated that up to 50 million accounts were affected. However, further investigations clarified the number to be around 29 million, including 3 million European accounts, according to the DPC. Meta emphasized that after identifying the issue, it immediately addressed the vulnerability, informed impacted users, and notified regulators, including the FBI and European and U.S. authorities.
The Irish watchdog found that Meta had violated the General Data Protection Regulation (GDPR), the EU’s stringent privacy framework. The investigation concluded with reprimands and significant administrative fines. Meta has since announced its intention to appeal the decision, stating that the company “proactively informed people impacted” and “fixed the problem as soon as it was identified.”
This decision highlights the growing scrutiny tech giants face under EU privacy laws. GDPR mandates that companies must take robust measures to protect user data and imposes severe penalties for breaches and failures to comply. The 2018 incident remains one of the largest data breaches in Facebook’s history, underscoring the ongoing challenges of ensuring digital security on major social media platforms.
