The Irish Data Protection Commission (DPC) has fined Facebook owner Meta €251m following a personal data breach that impacted around 29 million Facebook accounts globally, of which approximately three million were based in Europe.
The breach was reported by Meta in September 2018 and the types of personal data affected included user's full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member and children's personal data.
The breach arose from the exploitation by unauthorised third parties of user tokens on the Facebook platform.
User tokens are coded identifiers that can be used to verify the user of a platform or utility, and to control access to particular platform features and to personal data of the user and their contacts.
The breach was remedied by Meta shortly after its discovery.
The decisions, which were made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, included a number of reprimands and an order to pay administrative fines totalling €251m.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
"This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals," said DPC Deputy Commissioner Graham Doyle.
"By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data," Mr Doyle said.
Meta is expected to appeal the decision.
"We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission," a Meta spokesperson said.
"We have a wide range of industry-leading measures in place to protect people across our platforms," the company added.
Today's announcement brings to €2.8 billion the total fines imposed on Meta by the DPC.
However, just €17m of this has so far been collected due to legal challenges.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
