It’s been six years since miscreants abused some sloppy Facebook code to steal access tokens belonging to 30 million users, and the slow-turning wheels of Irish justice have finally caught up with a €251 million ($264 million) fine for the social media biz.
The Irish Data Protection Commission (PDC) today announced the conclusion of two investigations into a 2018 data breach caused by what Meta described at the time as a “complex interaction of multiple issues in our code” that allowed users to pilfer tokens via Facebook’s “View As” feature that allows users to see their profiles as if they were another user.
Initially believed to have exposed personally identifiable information (PII) on as many as 90 million users, Meta later resolved the number down to a mere 30 million. Per the DPC, approximately three million of those who had their access tokens pilfered are based in the EU.
“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms,” DPC deputy commissioner Graham Doyle said of the fine. “By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”
According to the DPC, PII exposed in the attack included full names, email addresses, phone numbers, location, place of work, birthdate, religious affiliation, gender, user posts and groups users belonged to. The PII of children was also exposed, the DPC said.
The pair of investigations concluded that the breach resulted in four violations of the EU’s General Data Protection Regulation (GDPR). Meta violated Article 33, pertaining to breach notifications, by “not including in its breach notification all the information required” and “failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance.”
Article 25, which covers requirements for companies to design systems with proper data protection by default, was violated by Meta “failing to ensure that data protection principles were protected in the design of processing systems” and “failing in [its] obligations as controllers to ensure that, by default, only personal data that are necessary for specific purposes are processed.”
Meta told The Register that it intends to appeal the decisions.
“We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission,” a Meta spokesperson told us. “We have a wide range of industry-leading measures in place to protect people across our platforms.”
Meta also said it has security features like multifactor authentication and login alerts available, and encouraged users to use them.
This is only the latest case of the DPC fining Meta – which has its European HQ in Ireland – for violating EU data protection rules. The DPC charged Meta €1.2 billion for sending EU user data to the US, €390 million for using personal user data without consent on Facebook and Instagram and an additional €5.5 million for similar violations in WhatsApp – all of those fines were levied in 2023.
Meta was also fined twice by the DPC in 2022, forking over €17 million for failing to protect user data and €265 million for Facebook allowing user data to be scraped and exposed online.
This latest fine – if it sticks – will probably have a similar drop-in-the-bucket effect to all those other fines (minus the record-setting €1.2B one). Amounting to $264 million, today’s bill equates to less than 2 percent of Meta’s third quarter profit of $15.7 billion. ®