The Irish Data Protection Commission (DPC) has announced decisions on two investigations into Meta Platforms Ireland related to a 2018 data breach affecting 29 million Facebook accounts globally, including 3 million within the EU/EEA. The breach exposed personal data, including names, emails, phone numbers, and sensitive profile information such as religion and political beliefs.
Following the breach caused by the exploitation of user tokens on Facebook’s platform, the DPC levied administrative fines totaling €251 million and issued reprimands for multiple violations of the General Data Protection Regulation (GDPR).
Key Findings and Fines:
Decision 1:
Article 33(3) GDPR: Failure to provide complete breach notifications. MPIL was fined €8 million.
Article 33(5) GDPR: Inadequate documentation of breach facts and remedial actions. MPIL was fined €3 million.
Decision 2:
Article 25(1) GDPR: Failure to integrate data protection principles into system design. MPIL was fined €130 million.
Article 25(2) GDPR: Failure to ensure only necessary personal data was processed by default. MPIL was fined €110 million.
Breach Details:
The breach arose from Facebook’s “View As” feature and a video upload tool, allowing attackers to exploit user tokens and access profiles. Unauthorized access occurred from September 14 to 28, 2018, exposing personal data of millions. Facebook identified the vulnerability following unusual activity and disabled the feature.
Deputy Commissioner Graham Doyle emphasized the importance of embedding data protection throughout development processes, stating:
“This enforcement action highlights how failure to build in data protection requirements can expose individuals to serious risks, including violations of fundamental rights. The unauthorized exposure of sensitive profile data presented a grave risk of misuse,” Graham Doyle said.
In October, the Data Protection Commission (DPC) has imposed a fine of €91million following an inquiry into Meta Platforms Ireland. Meta Platforms had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems.
