Meta Fined €251 Million for 2018 Facebook Data Breach

Meta faces €251 million fine for Facebook breach that compromised user data, with regulators citing major GDPR violations.

Meta Platforms, the parent company of Facebook, has been fined €251 million (approximately $263 million) by the Irish Data Protection Commission (DPC) for a data breach that compromised the personal information of 29 million users worldwide, including three million within the European Union.

The breach, first disclosed in September 2018, was traced to vulnerabilities in Facebook’s “View As” feature, which allowed attackers to view user profiles as another individual. Over a two-week period, from September 14 to 28, unauthorized third parties exploited this feature using malicious scripts, gaining access to user tokens and logging into accounts without permission.

The compromised personal information included:

• Full names
• Email addresses
• Phone numbers
• Locations
• Employment details
• Dates of birth
• Religious affiliations
• Gender
• Timeline posts
• Group memberships
• Children’s personal data

GDPR Violations and Fines

The DPC’s investigation uncovered violations of multiple provisions under the General Data Protection Regulation (GDPR), leading to fines totaling €251 million:

1. Article 33(3): Meta was fined €8 million for failing to provide adequate information in its initial breach notification.
2. Article 33(5): A €3 million fine was imposed for insufficient documentation of the breach and remedial actions.
3. Article 25(1): Meta was fined €130 million for failing to embed data protection principles into the design of its systems.
4. Article 25(2): An additional €110 million fine was levied for processing excessive amounts of personal data without clear justification.

Graham Doyle, Deputy Commissioner of the DPC, underscored the significance of these penalties, stating:

“This enforcement action demonstrates the critical need for organizations to integrate data protection measures into system design to prevent exposing individuals to severe risks.”

The breach exposed sensitive user information, potentially threatening users’ fundamental rights and freedoms, Doyle emphasized.

Meta’s Defense

Meta announced plans to appeal the fine, describing the incident as a resolved issue from 2018. A spokesperson for the company stated:

“This decision relates to a 2018 breach that we addressed immediately upon identification. We informed both affected users and the Irish Data Protection Commission proactively.”

Meta also reiterated its commitment to bolstering security across its platforms, noting ongoing improvements in data protection measures.

The fine is the latest in a series of penalties imposed on Meta by European regulators. Just a month earlier, Meta faced a €797 million fine for violations tied to unfair trading practices on its classified ads platform. In July 2024, Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) and Data Protection Commission (NDPC) jointly fined Meta $220 million for privacy-related infractions.