EU Imposes €251 Million Penalty on Meta for 2018 Data Breach
December 18, 2024
The Irish Data Protection Commission (DPC) slapped a €251 million (roughly $263 million) fine on Meta for a data breach that occurred six years ago.
Timeline of events
Meta Platforms, the parent company of social media services including WhatsApp, Instagram, Facebook and Threads, suffered the breach in 2018. The security incident exposed the sensitive data of millions of Facebook users worldwide, including 3 million in the European Union (EU) and the European Economic Area (EEA).
The company disclosed the breach in September 2018, revealing that it stemmed from a bug in the “View As” feature, a tool that allows users to view their profiles as others would see them.
Exploitation and aftermath
Threat actors exploited the vulnerability, which surfaced in 2017, to steal access tokens and completely take over users’ accounts.
Between Sept.14 and Sept. 28 of 2018, perpetrators systematically exploited the flaw via specially crafted scripts, compromising 29 million Facebook accounts worldwide.
Exposed data included users’ full names, email addresses, locations, phone numbers, dates of birth, workplaces, gender, religion and even personal information about their children.
Threat actors also gained access to timeline posts, group memberships and other sensitive details.
Regulatory findings and violations
The DPC found Meta in violation of four key clauses under the General Data Protection Regulation (GDPR):
- Article 33(3): Failing to include all necessary information in its breach notification.
- Article 33(5): Neglecting to adequately document the breach’s facts and remediation steps.
- Article 25(1): Failing to embed data protection principles in system design.
- Article 25(2): Failing to ensure that only necessary personal data were processed.
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” said DPC Deputy Commissioner Graham Doyle. “Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
Being prepared for disaster
Data breaches often strike without warning, leaving individuals vulnerable to identity theft and other intrusions. While users are not responsible for these breaches—the onus often lies with companies to secure their systems—this reality does not absolve them from taking measures to prepare themselves.
Specialized tools like Bitdefender Digital Identity Protection can help users monitor their personal data, identify potential vulnerabilities and reduce the risk of identity misuse. By continuously scanning for compromised data online, offering helpful insights and providing quick, one-click actions to patch detected holes in digital footprints, this solution empowers users to stay ahead of data breaches, even when companies fall short in safeguarding their systems.
tags
Author
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsRight now Top posts
FOLLOW US ON SOCIAL MEDIA
You might also like
Bookmarks
