Facebook owner Meta faces €251 million in fines for a data breach in 2018

Are you aware about Facebook data breach? In an era where user privacy is paramount, companies handling personal data face increasing scrutiny and severe penalties for mishandling sensitive information. Meta Platforms, the parent company of popular social media giants like Facebook, Instagram, WhatsApp, and Threads, is the latest to feel the financial repercussions of such missteps. The Irish Data Protection Commission (DPC) recently levied a hefty €251 million (approximately $263 million) fine against Meta for a data breach in 2018, underscoring the growing enforcement of stringent privacy laws in the European Union.

The breach, disclosed by Meta in September 2018, stemmed from a bug in Facebook’s systems that had been present since July 2017. This flaw allowed malicious actors to exploit the “View As” feature, designed for users to view their profiles from another user’s perspective. As a result, approximately 29 million accounts globally were compromised, with around 3 million belonging to users in the European Union and European Economic Area (EEA). Initially, Meta estimated the total number of affected accounts to be around 50 million, further highlighting the extensive nature of the breach.

The €251 million fine is a stark reminder of the financial consequences organizations can face for failing to safeguard user data. Beyond the monetary penalty, incidents like these erode public trust and raise questions about a company’s ability to manage personal information responsibly. For Meta, a repeat offender in privacy violations, this penalty adds to a substantial list of fines and settlements related to user data protection.

This latest penalty underscores the importance of privacy laws like the General Data Protection Regulation (GDPR) in holding corporations accountable. The GDPR empowers regulators to impose significant fines on companies that fail to adequately protect user data. This represents a clear message for Meta and other tech giants: compliance is no longer optional. The increasing frequency and magnitude of fines signal a shift toward more aggressive enforcement, compelling businesses to prioritize data security.

The metadata breach serves as a cautionary tale for companies across industries. As data breaches become more sophisticated and widespread, organizations must adopt proactive measures to protect user information and comply with evolving privacy laws. Comprehensive security protocols, regular audits, and robust incident response plans are no longer just recommendations—they are necessities. This case also highlights the critical role of regulatory frameworks like the GDPR in shaping the future of global data protection and ensuring accountability for organizations entrusted with user data.

The Exploit That Compromised Millions of Users

The “View As” feature on Facebook, initially designed to enhance user experience by allowing users to preview their profiles as others would see them, inadvertently became the source of a critical vulnerability. This seemingly benign feature had a hidden flaw that attackers exploited to generate fully permissioned access tokens. These tokens, typically used for seamless user authentication, became the key to breaching millions of accounts globally.

The vulnerability emerged from the interaction between the “View As” feature and the “Happy Birthday Composer” video uploader tool. Combined, these tools generated an access token that provided full permissions to the targeted user’s profile. Attackers seized this opportunity, using scripts to automate the process and chaining the exploit across accounts. The flaw allowed malicious actors to gain unauthorized access to user profiles and the sensitive data they contained.

The breach impacted an extensive range of personal information, including users’ full names, email addresses, phone numbers, locations, work details, dates of birth, and even information about their children. Furthermore, attackers accessed posts, group memberships, and other private data, significantly heightening the risk of phishing, identity theft, and other malicious activities. This extensive exposure highlighted the dangers of even a single overlooked vulnerability.

Between September 14 and 28, 2018, attackers exploited the flaw, compromising approximately 29 million Facebook accounts, with 3 million based in the European Union and European Economic Area. The incident prompted Meta to remove the flawed functionality and conduct a thorough security audit. Regulatory bodies like the Irish Data Protection Commission took notice, leading to Meta being fined €251 million for failing to protect user data adequately.

This exploit underscores the critical need for robust security testing and proactive vulnerability management. For Meta, the breach was a costly lesson, leading to enhanced security protocols and stricter oversight of new features. For users, it serves as a reminder to be cautious about the platforms they trust with their data. The incident is a case study of how a single vulnerability can have far-reaching consequences, affecting millions of users and reshaping how organizations approach data security.

The fines were imposed for violating four different sections of the GDPR data privacy rules, specifically Article 33(3), Article 33(5), Article 25(1), and Article 25(2). Here’s a more straightforward explanation:

• It did not include all the details it could and should have provided in its breach report.
• Not keeping proper records of the breach, the actions taken to fix it, and failing to document them in a way that lets authorities confirm compliance.
• Not ensuring privacy and security principles were built into the design of its systems.
• Failing to ensure that only the personal information needed for specific purposes was collected and used.

A Wake-Up Call for Data Privacy Enforcement

The recent enforcement action against Meta underscores the severe consequences of failing to integrate data protection measures throughout the systems’ design and development stages. According to DPC Deputy Commissioner Graham Doyle, neglecting to prioritize data privacy exposes individuals to significant risks, including violations of their fundamental rights and freedoms. This breach highlights how the lack of proper security measures in the system’s design can have far-reaching impacts, jeopardizing user privacy and trust.

The breach revealed a critical vulnerability in Meta’s platform, allowing unauthorized access to users’ profile information. This exposure of sensitive data, including personal details such as names, emails, and contact information, placed users at grave risk of misuse. The failure to secure data correctly allowed malicious actors to exploit these vulnerabilities, resulting in the unauthorized spread of personal information that could be misused for phishing, identity theft, and other harmful activities.

This €251 million fine is Meta’s second significant penalty from the Irish Data Protection Commission (DPC). In September 2024, Meta was hit with a €91 million fine for a 2019 security incident where users’ passwords were inadvertently stored in plaintext. These fines reflect the ongoing challenges Meta faces in ensuring data security and compliance with the GDPR, emphasizing the increasing scrutiny and pressure on the company to improve its privacy and security practices.

In addition to the European fines, Meta recently agreed to pay AU$ 50 million ($31.5 million) to settle a separate issue with the Office of the Australian Information Commissioner (OAIC). This settlement pertains to using users’ personal information for political profiling and targeted advertising, stemming from the 2018 Cambridge Analytica scandal. These developments highlight the continuous fallout Meta faces due to its mishandling of user data, further damaging its reputation and triggering regulatory action across the globe.

The combination of these fines and ongoing settlements serves as a stark reminder to companies about the importance of incorporating strong data protection practices from the outset. Organizations like Meta must learn from these incidents and adopt more robust systems that safeguard user privacy and comply with data protection laws. For users, this serves as a reminder to stay vigilant about their personal information and demand greater accountability from the platforms they trust with their data.

Meta’s Facebook Data Breach Settlement

The settlement compensates individuals affected by the Facebook data breach linked to the Cambridge Analytica scandal. Specifically, it is available to those who had a Facebook account between November 2, 2013, and December 17, 2015, and were either users of the “This is Your Digital Life” app or Facebook friends with someone who had installed it. A total of 311,074 Australian Facebook users could have accessed their personal information, with 53 users directly installing the app.

The settlement provides two tiers of payments to affected individuals. The first tier offers a base payment for those who experienced generalized concern or embarrassment due to the breach. The second tier is for individuals who can prove they suffered actual loss or damage due to the incident, allowing them to receive a higher payment. The program is expected to begin accepting applications in the second quarter of 2025, giving Australians affected by the breach an opportunity for financial redress.

Australian Information Commissioner Elizabeth Tydd emphasized that the settlement represents a significant resolution of privacy concerns stemming from the Cambridge Analytica scandal. She noted that this settlement provides affected Australians with an opportunity to seek compensation, marking the conclusion of a lengthy legal process. With the settlement, Meta aims to address the privacy issues raised by the breach, offering some level of restitution to those impacted by the misuse of their data.

For more:

https://thehackernews.com/2024/12/meta-fined-251-million-for-2018-data.html