Around three million users in Europe were affected.
Meta has been fined £207 million for a 2018 Facebook security breach that affected 29 million users
The parent of Facebook, WhatsApp and Instagram was fined €251 million after the incident where attackers exploited a vulnerability in Facebook's code that impacted the "View As" feature.
According to Reuters, the vulnerability led to a breach in personal data including users' full name, contact details, location, place of work, date of birth, religion, gender and their children's personal data.
The breach was remedied by Meta and its US parent company shortly after its discovery. Of the 29 million Facebook accounts impacted globally, around three million were based in the EU and European Economic Area.
Graham Doyle, deputy commissioner of the Irish data protection commission, said: “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.”
Unauthorised exposure
Doyle said that Facebook profiles often contain personal information, and matters that a user may wish to disclose only in particular circumstances. “By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data,” he said.
Meta was previously fined €91 million in September after it stored hundreds of millions of users’ passwords in plaintext on its internal systems. The Irish DPC has so far fined Meta almost three billion euros for breaches under the bloc's General Data Protection Regulation (GDPR) introduced in 2018, including a record 1.2 billion euro fine in 2023 that Meta is appealing.
In a statement, a spokesperson for Meta said they would appeal the decision. "We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission."
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
