Back in 2018, 29 million Facebook users around the world were affected by a security breach that exposed their personal data. Six years later, the Irish Data Protection Commission, which regulates Facebook’s parent company Meta in the European Union, has finally issued the company with a fine for the breach.
The DPC announced on Tuesday it was fining Meta 251 million euros ($263.5 million) for failing to prevent cyberattackers from exploiting a vulnerability in Facebook’s code. The exploit allowed them to use the site’s “View As” feature to see people’s private profile information. This included full names, email addresses, phone numbers, locations, places of work, dates of birth, religions, genders, posts on timelines, groups of which people were members and children’s personal data.
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” said DPC Deputy Commissioner Graham Doyle in a statement. “Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances.”
Read more: Best Identity Theft Protection Services for 2024
Around 3 million people affected by the breach live in the EU, where strict rules, known as the General Data Protection Regulation, provide citizens with protections if their privacy is violated. The GDPR has served as a model for many other pieces of privacy legislation around the world, including California’s privacy rules. It requires companies to self-report privacy breaches and can result in fines of up to 20 million euros or 4% of global revenue, whichever is higher. Meta has been fined almost $3 billion in total for various breaches.
The company said on Tuesday that it plans to appeal the DPC’s decision.
“This decision relates to an incident from 2018,” a spokesperson for Meta said in a statement. “We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission.”
