Ireland’s Data Protection Commission has fined Meta, the owner of Facebook, 251 million euros ($263 million) for failing to protect users’ data, which led to a hacking incident in 2018.
The DPC found that a security flaw in Facebook’s video upload feature allowed hackers to access users’ accounts. The breach occurred over two weeks in 2018, affecting around 29 million Facebook accounts worldwide. Hackers were able to steal personal data, including email addresses, phone numbers, locations, and workplace information.
Graham Doyle, the head of communications for the DPC, said, “The failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.”
He added that allowing the exposure of profile information created a serious risk that the data could be misused.
Meta, which has its regional headquarters in Dublin, has faced multiple penalties under the European Union’s strict data protection rules known as the General Data Protection Regulation (GDPR). This latest fine follows a detailed inquiry into the breach, which found that hackers exploited bugs in Facebook’s code to steal “access tokens,” which allowed them to control user accounts.
Meta has said it plans to appeal the fine. The company stated, “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified.” Meta added that it informed the people affected by the breach and also notified the DPC.
The hack was caused by three bugs in Facebook’s “View As” feature, which let users see how their profiles appear to others. Hackers used this vulnerability to steal access tokens from users’ accounts, starting with those whose profiles were searched using the feature. The attack spread from one user’s Facebook friend to another.
Meta addressed the issue shortly after discovering it and reported the breach to the DPC in September 2018.
This fine is part of a series of penalties Meta has faced in recent years. In September, the DPC fined Meta 91 million euros for failing to protect users’ password data and for delaying the notification to regulators.
