Meta has been fined €251 million (approximately $263 million) by Ireland’s Data Protection Commission (DPC) for a 2018 Facebook security breach that affected around 3 million EU users. The penalty, issued under the General Data Protection Regulation (GDPR), is significant but not the largest Meta has faced since the GDPR's implementation.
The breach originated in July 2017 when a bug in a video upload feature allowed attackers to exploit the “View as” function, enabling unauthorized access to user profiles. Between September 14 and 28, 2018, this vulnerability was exploited to log into approximately 29 million Facebook accounts globally, with 3 million located in the EU. The compromised data included users' names, email addresses, phone numbers, and other personal information.
The DPC's enforcement decisions focused on two inquiries regarding Meta's breach notification and data protection measures. Meta was fined €11 million for failing to provide comprehensive breach notifications and €240 million for not adhering to GDPR principles regarding data protection by design. The DPC emphasized the serious risks posed by unauthorized exposure of sensitive profile information.
In a statement, DPC deputy commissioner Graham Doyle highlighted the importance of integrating data protection into the design process to prevent such vulnerabilities. Notably, this enforcement action faced no objections from other EU supervisory authorities, marking a shift from previous criticisms of the DPC's enforcement actions against Meta.
In response, Meta stated that the incident occurred in 2018, and they took immediate corrective actions while informing affected users and the DPC. Earlier in September, the DPC also fined Meta €91 million for a separate 2019 security breach involving improperly stored passwords.
