Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has been fined €251 million (around $263 million) for a 2018 data breach that impacted millions of users in the bloc, in what’s the latest financial hit the company has taken for flouting stringent privacy laws.
The Irish Data Protection Commission (DPC) said the data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the European Union and European Economic Area (EEA). It’s worth noting that initial estimates from the tech giant had pegged the total number of affected accounts at 50 million.
The incident, which the social media company disclosed back in September 2018, arose from a bug that was introduced to Facebook’s systems in July 2017, allowing unknown threat actors to exploit the “View As” feature that lets a user see their own profile as someone else.
This ultimately made it possible to obtain account access tokens, allowing the attackers to break into victim accounts. Categories of personal data impacted as a result of the security breach included users’ full names, email addresses, phone numbers, location, places of work, dates of birth, religion, gender, posts on timelines, groups of which they were member, and children’s personal data.
“A user making use of [the View As] feature could invoke the video uploader in conjunction with Facebook’s ‘Happy Birthday Composer’ facility,” the DPC said.
“The video uploader would then generate a fully permissioned user token that gave them full access to the Facebook profile of that other user. A user could then use that token to exploit the same combination of features on other accounts, allowing them to access multiple users’ profiles and the data accessible through them.”
The data protection watchdog also said that malicious actors leveraged scripts to exploit the flaw between September 14 and 28, 2018, and gain unauthorized access to 29 million Facebook accounts globally. Meta has since removed the functionality that caused the issue.
The fines are pursuant to the violation of four different clauses under the GDPR data privacy laws, namely Article 33(3), Article 33(5), Article 25(1), and Article 25(2) –
- Failing to include in its breach notification all the information that it could and should have included
- Failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance
- Failing to ensure that data protection principles were protected in the design of processing systems
- Failing in its obligations as a controller to ensure that only personal data that are necessary for specific purposes are processed
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” DPC Deputy Commissioner Graham Doyle said.
“By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
This is the second such fine issued by the DPC against Meta, which was slapped with a €91 million ($101.5 million) penalty back in September 2024 for a security issue in 2019 that involved inadvertently storing users’ passwords in plaintext.
The development comes as Meta also agreed to an AU$50 million ($31.5 million) payment program to settle with the Office of the Australian Information Commissioner (OAIC) related to the misuse of users’ personal information for political profiling and ad targeting in the wake of the 2018 Cambridge Analytica scandal.
The scheme is eligible for individuals who held a Facebook Account between November 2, 2013, and December 17, 2015; were present in Australia for more than 30 days during that period; and either installed the This is Your Digital Life app or were Facebook friends with an individual who installed the app.
It’s said that 53 Australian Facebook users had installed the App, and 311,074 Facebook users could have had their personal information requested by the app as friends of those who had downloaded it.
The settlement offers two tiers of payments, a base payment to those who experienced generalized concern or embarrassment because of the leak and a specific payment to those who can demonstrate that they have suffered loss or damage. The payment program is expected to accept applications in the second quarter of 2025 formally.
“It represents a substantive resolution of privacy concerns raised by the Cambridge Analytica matter, gives potentially affected Australians an opportunity to seek redress through Meta’s payment program, and brings to an end a lengthy court process,” Australian Information Commissioner Elizabeth Tydd said.
