Summarize

Simplifying... Inshort

Meta, the parent company of Facebook, has been slapped with a hefty €251 million fine by Ireland's Data Protection Commission (DPC) over a 2018 security breach.
The breach, which affected around 29 million accounts globally, was due to a bug in a video upload feature.
Despite Meta's claims of taking immediate action, the DPC fined them for inadequate breach notification and violating data protection principles.

Was a long read? Making it simpler...

Next Article

The breach was disclosed in September 2018

Ireland: Meta fined €251M over Facebook's 2018 security breach

By Dwaipayan Roy

Dec 17, 2024

08:09 pm

What's the story

Meta, the parent company of Facebook, has been slapped with a €251 million (around $263 million) fine. The penalty is related to a security breach, which Facebook disclosed in September 2018. The Irish Data Protection Commission (DPC) issued the fine under the General Data Protection Regulation (GDPR). It isn't the biggest GDPR-related fine for Meta, but is notable for a single incident.

Incident details

Breach affected 29M accounts globally

The security breach in question dates back to July 2017, when Facebook introduced a video upload function with a "View as" feature. A bug in this function allowed unauthorized access to user profiles. Between September 14 and September 28, 2018, unauthorized scripts exploited this vulnerability affecting approximately 29 million accounts worldwide, including around three million in the EU.

Fine breakdown

Meta fined for inadequate breach notification, data protection

The DPC's enforcement consisted of two decisions: one on Meta's breach notification and another on data protection by design and default. The company was fined €11 million for failing to provide all the information it "could and should have" in its initial breach notification. An additional €240 million fine was levied for violating GDPR principles of data protection by design, as it lacked appropriate measures to protect people's data from unintended processing.

Risk assessment

DPC highlights risks of inadequate data protection measures

Graham Doyle, the Deputy Commissioner of the DPC, emphasized the risks of not having proper data protection measures in place. He said such failures could expose sensitive information such as religious or political beliefs. The enforcement decision did not face any objections from peer authorities, unlike the past when DPC's draft decisions were disputed.

Company statement

Meta responds to the fine

Responding to the penalty, Meta spokesperson Emily Westcott said the company took immediate action to fix the issue and notified affected users and the DPC in a timely manner. She stressed that Meta has "a wide range of industry-leading measures in place to protect people across our platforms." This isn't the first time DPC has fined Meta. In September, it was fined €91 million for another security incident involving plaintext storage of user passwords on its servers.