Meta slammed with €250 million fine for Facebook data breach

Meta, the parent company of Facebook, has been hit with a hefty fine of over €250 million (approximately £206 million) by the Irish Data Protection Commission (DPC) due to a significant data breach. The breach, which came to light in September 2018, impacted around 29 million Facebook accounts worldwide, including about three million based in the EU and European Economic Area (EEA).

The breach allowed unauthorized parties to exploit Facebook’s user tokens — the digital keys that let users stay logged in without entering passwords repeatedly. This flaw gave attackers access to sensitive personal information such as full names, email addresses, phone numbers, locations, workplace details, dates of birth, religious affiliations, genders, posts, group memberships, and even children’s data.

Meta resolved the issue promptly after it was discovered, both in Ireland and at its US headquarters. However, the Irish watchdog still found the company at fault for failing to safeguard user data adequately.

The decision to fine Meta was made by Data Protection Commissioners Dr. Des Hogan and Dale Sunderland, who issued several reprimands alongside the substantial financial penalty totaling €251 million.

Deputy Commissioner Graham Doyle emphasized the severity of the breach, noting the risks posed by the unauthorized exposure of personal data.

“This case highlights the dangers of not embedding data protection measures into the design and development process,” Doyle explained. “The failure to do so can lead to serious risks and harm, including threats to individuals' fundamental rights and freedoms.”

He added that Facebook profiles often contain sensitive information, such as political or religious beliefs and sexual orientation, which users might prefer to share only under certain circumstances. The breach, therefore, created a significant risk of misuse of such personal data.

The fine serves as a strong reminder that tech companies must prioritize user privacy and security, ensuring data protection is a core part of their platform development.

Source: PA Media