LONDON — Meta, the company behind Facebook, has faced a hefty financial penalty amounting to 251 million euros following a comprehensive investigation into a significant data breach that occurred in 2018. This breach led to the exposure of millions of user accounts on the platform.
The fines were imposed by Ireland’s Data Protection Commission, which concluded its investigation into the incident. Hackers accessed user accounts by taking advantage of vulnerabilities in the platform’s code, enabling them to capture digital keys known as “access tokens.”
As the primary privacy regulator for Meta, the Irish authority oversees compliance with the EU’s rigorous privacy laws since the company’s European headquarters is located in Dublin.
Following their findings, the authority issued reprimands along with administrative fines totaling 251 million euros (approximately $264 million) for multiple violations under the General Data Protection Regulation (GDPR). In response to these penalties, Meta announced plans to appeal the ruling.
In a statement, Meta emphasized, “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified.” The company also claimed to have proactively notified those affected along with the Irish regulatory body.
Initially, when the breach was disclosed, Facebook suggested that approximately 50 million user accounts were compromised. However, the Irish authority clarified later that the actual number of affected users was around 29 million, which included 3 million individuals in Europe.
After identifying the bug, Meta reported that it promptly contacted the FBI and regulatory bodies across the U.S. and Europe. The breach involved three separate flaws in Facebook’s “View As” feature, which allowed users to see how their profiles appeared to others. The attackers exploited these vulnerabilities to capture access tokens from users whose profiles were viewed through this feature. The malicious activity then spread among friends on the platform, granting attackers control over their accounts by possessing these tokens.