Meta has been hit with a €251 million fine by the Irish Data Protection Commission (DPC) for a 2018 Facebook data breach that exposed the personal information of 29 million users worldwide, including three million in the EU.
The breach occurred when unauthorized parties exploited a vulnerability in Facebook’s token system, granting them access to users’ accounts. Sensitive data such as names, email addresses, phone numbers, locations, and even children’s information were compromised. While Meta quickly resolved the issue, the DPC found that the company had failed to implement adequate data protection measures.
The DPC’s investigation revealed Meta’s violations of the General Data Protection Regulation (GDPR), including its failure to document the breach adequately and design systems that prioritize data security. According to DPC Deputy Commissioner Graham Doyle, the breach posed a severe risk to individuals’ fundamental rights by exposing sensitive profile details such as religious beliefs and sexual orientation to potential misuse.
This penalty adds to the mounting regulatory challenges Meta faces globally. Just last month, the EU imposed a €797 million fine on Meta for anti-competitive practices tied to Facebook Marketplace. In July, Nigeria’s regulatory bodies fined Meta $220 million over unauthorized data transfers and privacy violations involving Nigerian users.
As Meta continues to grapple with legal scrutiny, the fine serves as a warning to tech giants about the critical importance of embedding data protection into system design and operations. Regulatory bodies worldwide are stepping up their efforts to hold companies accountable for safeguarding user data.
