Irish regulator fines Meta €251 million for security breach that effected millions of users globally


A bug in design allowed malicious actors to seize control of other users’ profiles via Facebook’s “View As” feature.

The Irish Data Protection Commission (DPC) issued last week a €251 million fine to Meta Platforms Ireland Limited (MPIL) for violations of the General Data Protection Regulation (GDPR) stemming from a security breach on Facebook disclosed in September 2018.

The breach affected approximately 29 million Facebook accounts globally, including around 3 million within the EU/European Economic Area (EEA).

The incident originated from a vulnerability introduced in July 2017 through Facebook's ‘View As’ feature and its video upload function. This combination, coupled with the ‘Happy Birthday Composer’ tool, allowed unauthorized actors to exploit user tokens - digital keys granting full access to user profiles.

More to read:
Revolut points to Meta platforms as “hotbed” for scams

Between September 14 and September 28, 2018, malicious individuals utilized automated scripts to exploit this vulnerability, gaining access to users’ profiles and personal data, such as full names, email addresses, phone numbers, birth dates, locations, workplaces, religion – including children’s personal data.

The breach was spotted by advanced users after noticing unusual activity in the video upload feature and prompted Facebook to remove the functionality in order to contain the vulnerability.

Following its investigation, the DPC determined in December 2024 that Meta had failed to comply with key GDPR principles, resulting in two separate enforcement decisions:

More to read:
Meta has become the world’s largest advertiser of narcotics

1. Failure to notify and document the breach

- Meta failed to provide all required information in its breach notification to the DPC under Article 33(3) and was fined €8 million.

- The company did not adequately document the facts surrounding the breach and the measures taken to address it, in violation of Article 33(5), resulting in an additional €3 million fine.

2. Inadequate data protection by design and default

- Meta was found to be in violation of Article 25(1) by failing to implement sufficient safeguards in the design of its processing systems to prevent such breaches, leading to a €130 million fine.

- It also breached Article 25(2) by failing to ensure, by default, that only necessary personal data was processed for specific purposes. This resulted in a further €110 million fine.

More to read:
Meta deploys an intricate web of chatbots to learn more about current account holders

DPC Deputy Commissioner Graham Doyle emphasized in a published statement that this case highlighted the critical importance of integrating data protection measures throughout the development and design of digital systems.

The breach exposed sensitive information, such as users' religious or political beliefs and sexual orientation, which poses serious risks to individual privacy and fundamental rights, he noted.

Meta has not disputed the decision and acknowledged the fine entirely, assuring of its commitment to enforce strong personal data protections and address emerging technical flaws immediately.

Meta was also hit with a €102 million ($110 million) fine last September following the completion of a five-year investigation into a password lapse in the European Union. The regulator flagged the issue after Meta disclosed the mishap, stating that user passwords were stored incorrectly. The breach was deemed a violation of privacy regulations.

***
NewsCafe is an independent outlet that cares about big issues. Our sources of income amount to ads and donations from readers. You can support us via PayPal: office[at]rudeana.com or paypal.me/newscafeeu, or https://buymeacoffee.com/newscafe . Any amount is welcome.



US Government integrates AI in nuclear weapon systems. Do you sense any danger?

View all
Doomsday is imminent
There are some risks, sure
Minor concerns are appropriate
Nothing to worry about