Meta Fined €251M for 2018 Facebook Data Breach Exposing Millions of Users

Meta, the parent company of Facebook, has been fined €251 million ($264 million) by European regulators for a 2018 data breach that exposed the personal data of millions of users. The fine was imposed by Ireland’s Data Protection Commission (DPC) after it found that Meta failed to adequately secure its platform against known vulnerabilities, violating the EU’s General Data Protection Regulation (GDPR).

Ad

What Happened in the 2018 Breach?

The breach occurred when hackers exploited bugs in Facebook’s “View As” feature, which lets users see how their profiles appear to others. These vulnerabilities allowed attackers to steal digital keys, called access tokens, that provide access to user accounts without the need for passwords. Hackers used these stolen tokens to take control of accounts and spread the attack by targeting friends of affected users.

Initially, Facebook reported that 50 million accounts were compromised. However, a later investigation revealed the actual number was 29 million accounts, including 3 million in Europe. The stolen data included users’ names, email addresses, and phone numbers. While no financial or password information was stolen, the breach raised serious concerns about Facebook’s ability to protect user privacy.

Advertisement

Ireland’s Role in the Investigation

Under GDPR, companies with headquarters in the EU are regulated by the data protection authority in their host country. Since Meta’s European operations are based in Dublin, the Irish DPC led the investigation. The fine of €251 million reflects Meta’s failure to safeguard user data and its violation of GDPR principles, which require companies to ensure robust data protection.

Meta’s Response

Meta has announced plans to appeal the fine. In a statement, the company said:
“This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified. We also proactively informed affected users and regulators, including the Irish DPC.”

Meta added that since the breach, it has made significant investments in improving its platform security, such as enhancing data encryption, adding two-factor authentication, and launching privacy-focused features.

What This Means for Users

For users, this incident is a reminder of the importance of online security. Although Meta has strengthened its defenses, users should consider additional steps to protect their accounts, such as:

• Enabling two-factor authentication (2FA).

• Regularly reviewing account activity.

• Avoiding the reuse of passwords across different platforms.

Impact on Businesses

This fine highlights the EU’s strict enforcement of GDPR, which aims to hold companies accountable for protecting user data. For businesses, the message is clear: failure to comply with data privacy regulations can result in significant financial penalties and reputational damage.

Key Takeaways for the Industry

1. Data Protection Is a Priority: Companies must continuously monitor and patch vulnerabilities in their systems to prevent breaches.

2. Transparency Matters: Promptly notifying users and regulators about breaches is essential for maintaining trust.

3. Compliance Is Critical: GDPR violations can lead to severe fines, even for global tech giants like Meta.

As cyberattacks become increasingly sophisticated, regulators are likely to enforce even stricter privacy rules. Meta’s case serves as a wake-up call for the tech industry to prioritize security and compliance in their operations.

This fine also reinforces the EU’s commitment to protecting users’ data and ensuring that companies take privacy seriously in the digital age.

Also Read: Apple’s Key Chip Supplier TSMC Expands Operations in the U.S.