Contact Us

Irish DPC Fines Meta €251 Million Over 2018 Data Breach

Written by Jeremy Werner

Jeremy is an experienced journalists, skilled communicator, and constant learner with a passion for storytelling and a track record of crafting compelling narratives. He has a diverse background in broadcast journalism, AI, public relations, data science, and social media management.
Posted on 12/19/2024
In News

The Irish Data Protection Commission (DPC) has imposed a €251 million fine on Meta Platforms Ireland Limited following its investigation into a 2018 data breach that exposed the personal data of approximately 29 million Facebook users globally, including 3 million in the EU/EEA.

 

The breach, stemming from vulnerabilities in Facebook’s “View As” and video uploader features, allowed unauthorized access to user accounts through the exploitation of user tokens. Personal data affected included names, email addresses, phone numbers, locations, and more sensitive information such as religious and political affiliations. Children’s data was also among the information exposed.

 

In two separate decisions, the Irish DPC identified multiple violations of the General Data Protection Regulation (GDPR).

 

Decision 1:

 

  • Meta was fined €8 million under Article 33(3) for failing to include all necessary information in its breach notification.

 

  • An additional €3 million fine was levied under Article 33(5) for inadequate documentation of the breach and the remedial steps taken.

 

Decision 2:

 

  • A €130 million fine was imposed under Article 25(1) for failing to integrate data protection principles into the design of processing systems.

 

  • Meta was fined €110 million under Article 25(2) for failing to ensure that, by default, only the data necessary for specific purposes was processed.

 

The total €251 million penalty underscores the severity of Meta’s shortcomings in protecting user data.

 

The breach exploited a flaw in Facebook’s “View As” feature combined with its video upload functionality. Attackers used automated scripts to access user tokens, enabling unauthorized entry into Facebook profiles. The breach was active between September 14 and 28, 2018, before Facebook’s security team detected and mitigated the issue.

 

Deputy Commissioner Graham Doyle emphasized the significant risks posed by such vulnerabilities, particularly when sensitive data such as religious or political beliefs, sexual orientation, or personal life details are exposed. He warned that Meta’s failure to prioritize data protection during its system’s design and development exposed users to grave risks, infringing on their fundamental rights and freedoms.

 

This enforcement action highlights the importance of GDPR compliance and the need for robust data protection measures throughout the lifecycle of digital systems. Meta’s violations demonstrate the consequences of neglecting privacy by design, a principle enshrined in EU data protection law.

 

The Irish DPC’s decision follows the GDPR cooperation mechanism under Article 60, with no objections raised by peer EU supervisory authorities. The Commission praised the collaborative efforts of its European counterparts during the investigation.

 

 

Need Help?

 

Keeping track of the growing AI regulatory landscape can be difficult. So if you have any questions or concerns, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.

What’s New?

Stay up to date with the latest updates.

FDA Unveils Draft Guidance for AI-Enabled Medical Devices, Emphasizing Lifecycle Management and Transparency

FDA Unveils Draft Guidance for AI-Enabled Medical Devices, Emphasizing Lifecycle Management and Transparency

01.07.2025
Michigan Senate Advances Reproductive Health Data Protection Act

Michigan Senate Advances Reproductive Health Data Protection Act

01.07.2025
California Unveils Guidelines to Address AI’s Impact on Marginalized Communities

California Unveils Guidelines to Address AI’s Impact on Marginalized Communities

01.02.2025

Subscribe to our Newsletter

Keep up with the latest on BABL AI, AI Auditing and
AI Governance News by subscribing to our news letter
By subscribing, you agree with our privacy policy and our terms of service.