Meta Faces €251 Million Penalty Over 2018 Facebook Data Breach

In a major development concerning data privacy, Meta, the parent company of Facebook, has been fined €251 million by the Irish Data Protection Commission. The penalty stems from a 2018 data breach that affected approximately 29 million users worldwide, with 3 million of those users based in Europe. The breach exploited vulnerabilities in Facebook's "View As" feature, allowing hackers to move from one user's Facebook friend to another, stealing digital access tokens in the process.

The breach involved three distinct bugs within the "View As" feature, a tool that allows users to see how their profiles appear to others. By exploiting these bugs, hackers gained unauthorized access to user accounts, leading to a significant compromise of personal data. Initially, Facebook reported that 50 million accounts were affected; however, subsequent investigations revealed that the actual number was closer to 29 million.

The Irish Data Protection Commission, serving as Meta's lead privacy regulator under the EU's stringent privacy laws, concluded its inquiry into the breach. As a result, it issued reprimands and imposed administrative penalties totaling €251 million. This decision highlights the regulatory body's commitment to enforcing data protection standards and holding companies accountable for breaches.

Meta, whose regional headquarters are located in Dublin, responded by stating that it had "proactively informed people impacted" and notified the Irish watchdog of the breach. The company also alerted the FBI and other regulatory bodies in both the United States and Europe upon discovering the security flaws. This proactive communication underscores Meta's efforts to address the situation transparently.

The breach's impact was significant not only due to the number of affected users but also because it took place amidst growing scrutiny over data privacy practices globally. The Irish Data Protection Commission's decision reinforces the importance of robust data protection frameworks and the consequences companies face when these are breached.