The European Union’s lead data privacy regulator for Meta has fined the social media giant $263.5 million for a Facebook security breach dating back to 2018, which affected 29 million users.
The breach occurred when cyber attackers exploited a vulnerability in Facebook’s code, specifically in the ‘View As’ feature, which allows users to see how their profiles appear to others. This flaw led to unauthorised access to personal data, including users’ full names, contact details, locations, workplaces, dates of birth, religions, genders, and even their children’s information, according to Ireland’s Data Protection Commission (DPC).
“The vulnerabilities behind this breach caused a significant risk of misuse of these types of data by allowing unauthorised exposure of profile information,” Graham Doyle, DPC Deputy Commissioner, said in a statement.
Meta addressed the breach shortly after it was discovered and informed the DPC as well as the affected users. Of the 29 million accounts compromised worldwide, approximately three million were based in the EU and European Economic Area.
Ireland’s DPC serves as the lead EU regulator for major U.S. tech companies, given that many base their European headquarters in Ireland. Since the implementation of the General Data Protection Regulation (GDPR) in 2018, the regulator has imposed nearly three billion euro in fines on Meta for various data privacy violations. This includes a record €1.2 billion penalty in 2023, which Meta is currently appealing.
In response to Tuesday’s fine, Meta stated it plans to appeal the decision as well. “We took immediate action to fix the problem as soon as it was identified, and we proactively informed both impacted users and the Irish Data Protection Commission,” Meta spokesperson clarified. Meta has also highlighted its wide-ranging measures to safeguard user data across its platforms.