Meta (NASDAQ: META) has been fined €251 million ($264 million) by the Irish Data Protection Commission (DPC) for General Data Protection Regulation (GDPR) violations linked to a 2018 data breach that exposed sensitive information from approximately 29 million Facebook accounts. The breach, caused by vulnerabilities in the “View As” feature, enabled attackers to steal access tokens and gain unauthorized control over user accounts.
Sensitive data such as email addresses, phone numbers, and physical locations were exposed, with the incident impacting both adults and children.
Ireland, home to Meta’s European headquarters, took the lead in the investigation and levied multiple fines related to Meta’s failure to design systems with adequate safeguards.
Meta has responded by highlighting its immediate corrective actions following the breach and signaling plans to appeal the decision.
Why It Matters: The €251 million fine reinforces the European Union’s position as a global leader in data privacy regulation, setting a high bar for accountability. GDPR violations can carry significant financial and reputational consequences, as shown by the continued scrutiny and penalties faced by Meta in recent years. This incident serves as a reminder that companies need to prioritize security, not just when building systems, but also in how they respond when things go wrong.
- Data Breach Overview: In 2018, hackers exploited bugs in Facebook’s “View As” feature to steal access tokens, which allowed unauthorized control over user accounts. The breach exposed names, email addresses, phone numbers, locations, and even personal data of children, impacting 29 million accounts globally, including 3 million in Europe.
- Specific GDPR Violations and Fines: The Irish DPC fined Meta €251 million for GDPR violations. This included €130 million for lacking proper data protection measures, €110 million for excessive data processing, and smaller penalties for incomplete breach details and inadequate documentation. The case highlights major gaps in Meta’s data security and privacy practices under EU law.
- Meta’s Response: Meta emphasized its swift response in 2018, stating that the vulnerabilities were promptly addressed, and affected users, along with regulators, were informed. The company reiterated its commitment to platform security and signaled its intent to appeal the decision.
- Ongoing Scrutiny of Meta: This is not the first time Meta has faced regulatory action in Europe. Recent penalties include €1.2 billion in May 2023 for improper data transfers and €91 million in September 2024 for failing to secure user passwords adequately. These fines signal increasing pressure on Meta to comply with GDPR requirements.
Go Deeper -> Facebook Owner Hit with 251 Million Euros in Fines for 2018 Data Breach – ABC News
Ireland Fines Meta $264 Million Over 2018 Facebook Data Breach – Bleeping Computer
Meta Fined $263 Million for Alleged GDPR Violations that led to Data Breach – The Record