The European Union privacy regulators have levied fines totaling 251 million euros against Meta, the parent company of Facebook, in response to a data breach that occurred in 2018 on the social media platform. This breach resulted in the exposure of millions of user accounts, causing significant privacy concerns among the affected individuals. The fines were imposed by Ireland’s Data Protection Commission following an extensive investigation into the breach, which uncovered how hackers were able to gain unauthorized access to user accounts by exploiting vulnerabilities in the platform’s code. These vulnerabilities allowed the hackers to steal crucial digital keys, referred to as “access tokens,” compromising the security and privacy of the affected users.
Under the stringent privacy regulations of the European Union, the Irish Data Protection Commission serves as the primary privacy regulator for Meta due to the company’s regional headquarters being located in Dublin. In response to the findings of its inquiry, the watchdog issued reprimands and administrative penalties amounting to 251 million euros ($264 million) after identifying multiple violations of the General Data Protection Regulation (GDPR), the EU’s comprehensive data protection framework.
In a statement addressing the fines, Meta expressed its intention to appeal the decision, emphasizing that the incident in question occurred in 2018 and that immediate actions were taken to address the identified security issues. The company also highlighted its proactive efforts to notify and assist the individuals impacted by the breach, in addition to cooperating with the Irish Data Protection Commission throughout the investigation process.
Initially, when the data breach was disclosed, Facebook reported that 50 million user accounts had been affected. However, the Irish watchdog later clarified that the actual number of compromised accounts was approximately 29 million, including 3 million within Europe. Meta acknowledged that upon discovering the security vulnerability, it promptly alerted relevant authorities, including the FBI and regulatory bodies in the United States and Europe, to mitigate the potential risks associated with the breach.
The cyberattack exploited three distinct vulnerabilities within Facebook’s “View As” feature, which allowed users to preview how their profiles appeared to others. By leveraging these vulnerabilities, the attackers were able to acquire access tokens from the accounts of individuals whose profiles were accessed using the “View As” feature. Subsequently, the attack spread from one user’s Facebook friend to another, underscoring the severity and complexity of the breach. Possession of these access tokens granted the attackers unauthorized control over the compromised accounts, posing a significant threat to the privacy and security of the affected users.
In light of these developments, the fines imposed on Meta underscore the EU’s commitment to upholding data protection standards and holding companies accountable for data security lapses. The repercussions of the 2018 data breach serve as a stark reminder of the importance of safeguarding personal data and strengthening cybersecurity measures to prevent future incidents of a similar nature. As technology continues to evolve, regulators and companies alike must remain vigilant in addressing emerging threats and ensuring the integrity of users’ data in an increasingly interconnected digital landscape.
