Meta slapped with €251 million fine for mishandling 2018 data breach

In September 2018, it came to light that hackers had breached Facebook and gained access to data on over 50 million Facebook accounts. Around 3 million of those affected accounts were based in EU countries.

The personal data involved in the hack included:

The user’s full name

Their email address

Their telephone number

Their place of residence

Their place of work

Their date of birth

Their religion

Their gender

Their posts in their timeline

The groups they were members of

The personal data of their children

The security breach was caused by the exploitation of user tokens on the Facebook platform by unauthorized third parties. The issue was remedied by Meta Platforms Ireland Limited (MPIL) and its US parent company shortly after it was discovered.

The Irish Data Protection Commission (DPC) has now imposed a fine of €251 million on Meta Ireland, Facebook’s parent company, as a result. The reasons for the fine are as follows:

Meta didn’t include all the required details, which it could and should have provided, in its data breach notification. The data protection commissioner reprimanded MPIL for failing to comply with the law and ordered it to pay fines totaling €8 million.

Meta failed to document the facts of each breach and the steps taken to remedy them in a manner that would allow the regulator to verify compliance. The regulator reprimanded MPIL for these failures and ordered the payment of fines totaling €3 million.

Meta failed to ensure that data protection principles were protected in the design of its processing systems. The data protection authority found that MPIL had breached this provision, issued a warning to MPIL, and ordered it to pay fines totaling €130 million.

Meta failed to fulfill its obligations as a data controller to ensure that, by default, only personal data necessary for specific purposes was processed. The data protection authority found that MPIL had breached these provisions, warned MPIL, and ordered it to pay fines totaling €110 million.

Facebook is likely to appeal the fines.