Meta has been fined €251 million (around $263 million) in the European Union for a Facebook security breach that affected millions of users which the company disclosed back in September 2018.
The penalty, issued on Tuesday by Ireland’s Data Protection Commission (DPC) — enforcing the bloc’s General Data Protection Regulation (GDPR) — is far from being the largest GDPR fine Meta has been hit with since the regime came into force over five years ago but is notable for being a substantial sanction for a single security incident.
The breach it relates to dates back to July 2017 when Facebook, as the company was still known then, rolled out a video upload function that included a “View as” feature which let the user see their own Facebook page as it would be seen by another user.
A bug in the design allowed users making use of the feature to invoke the video uploader in conjunction with Facebook’s ‘Happy Birthday Composer’ facility to generate a fully permissioned user token that gave them full access to the Facebook profile of that other user. They could then use the token to exploit the same combination of features on other accounts — gaining unauthorized access to multiple users’ profiles and data, per the DPC.
Between September 14 and September 28, 2018, the watchdog said unauthorised persons used scripts to exploit this Facebook vulnerability and gained the ability to log on as the account holder to approximately 29 million Facebook accounts globally — around 3 million of which were based in the EU/European Economic Area, meaning they fall under the DPC’s enforcement powers.
Categories of personal data impacted by the breach included Facebook users’ full names; email addresses; phone numbers; location; places of work; dates of birth; religion; gender; posts on timelines; groups of which they were a member; and children’s personal data.
The broad sweep of impacted personal data is likely to have influenced the size of the fine.
Two enforcement decisions
On Tuesday the Irish regulator issued final decision on two inquiries it opened into the 2018 incident: one decision covers Meta’s breach notification, as the GDPR requires prompt and comprehensive reporting of major security incidents — the second concerns the rules on data protection by design and default.
In both cases the DPC found Meta infringed the bloc’s GDPR.
The full sanction breaks down as follows: Meta has been fined €11 million in relation to its first decision, with the DPC finding that Meta’s breach notification did not include all the information it “could and should have”; nor did the company fully document the facts of the breach and the steps taken to remedy the issue.
On top of that, Meta has been fined €240 million in relation to the second decision where the DPC confirmed the company violated GDPR principles of data protection by design as it did not have appropriate measures in place to protect people’s data from unintended processing.
Commenting in a statement, DPC deputy commissioner Graham Doyle said: “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.
“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
Another notable element of the enforcement under the DPC’s two commissioners, Dr. Des Hogan and Dale Sunderland — who took over from (formerly the sole) commissioner Helen Dixon earlier this year — is that no objections were raised to Ireland’s draft decision by peer authorities.
“The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case,” the regulator wrote in a press release.
Critics of the DPC under Dixon accused the regulator of routinely under-enforcing the GDPR on Meta and other tech giants. And many of its draft decisions on Big Tech at that time were disputed by its peers. A number of enforcements against Meta specifically entailed very lengthy dispute proceedings — with some requiring binding decisions from the European Data Protection Board to conclude the process.
So it’s notably that this latest enforcement against Meta, which the DPC says was submitted as a draft decision to the GDPR cooperation mechanism in July 2024, pass through unscathed.
Reached for a response to the penalty, Meta spokeswoman Emily Westcott emailed a statement in which the company wrote: “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission. We have a wide range of industry-leading measures in place to protect people across our platforms.”
Back in September, the DPC issued another decision against Meta vis-a-vis a 2019 security breach — in that instance the company was fined €91 million in relation to an incident in which “hundreds of millions” of users’ passwords had been stored in plaintext on its servers.
The 10 largest GDPR fines on Big Tech