The European Union’s data privacy authorities have imposed a $263 million fine on Meta, Facebook’s parent company, for a 2018 data breach that exposed millions of user accounts. The breach exploited vulnerabilities in Facebook’s code, allowing hackers to steal digital keys, or access tokens, that granted control over user accounts. Ireland’s Data Protection Commission (DPC), Meta’s lead privacy regulator within the EU, issued the penalty after a detailed investigation. The case underscores the EU’s commitment to enforcing the General Data Protection Regulation (GDPR), one of the world’s strictest privacy laws. Meta plans to appeal the decision, maintaining that it acted swiftly and transparently to address the breach.
Meta fined $263 million for 2018 data breach: Here’s what happened
The breach occurred in September 2018, when hackers exploited a series of bugs in Facebook’s ‘View As’ feature. This tool allowed users to see how their profiles appeared to others, but flaws in its code enabled attackers to steal access tokens. These tokens, essentially digital keys, granted attackers complete control over user accounts without needing passwords.
The attack escalated through connected accounts, spreading from one Facebook friend to another. Initially, Facebook estimated that 50 million accounts were affected. However, further investigation revealed that around 29 million accounts were compromised, including 3 million in Europe.
Meta’s response and regulatory action
Upon discovering the breach, Facebook reported the issue to law enforcement, including the FBI, and informed data protection regulators in Europe and the United States. The company also promptly fixed the vulnerabilities in the “View As” feature and notified affected users.
Despite these efforts, the Irish Data Protection Commission found Meta in violation of GDPR regulations. The inquiry concluded that Meta failed to adequately secure user data and allowed multiple infringements of GDPR, resulting in the $263 million fine. Alongside the financial penalty, the DPC issued formal reprimands and administrative directives to Meta.
Meta, however, disputes the decision and plans to appeal. In a statement, the company highlighted its proactive response, asserting that it acted transparently and took immediate corrective measures.
Role of the Irish Data Protection Commission
Under GDPR, Ireland’s Data Protection Commission serves as the lead privacy regulator for Meta, as the company’s European headquarters are in Dublin. This is not the first time Meta has faced scrutiny from the DPC. The watchdog has previously levied fines on the tech giant for data-related violations, demonstrating its active role in ensuring compliance with GDPR across the EU.
GDPR and its implications
The General Data Protection Regulation, implemented in 2018, grants EU citizens significant control over their personal data and imposes strict obligations on companies to protect that data. The law allows for fines of up to 4% of a company’s global revenue for serious violations.
The $263 million penalty against Meta is part of the EU’s broader effort to hold tech giants accountable for safeguarding user data. The case reinforces the importance of robust data security measures and transparent practices in handling breaches.
Also read | Airtel recharge plans | Jio recharge plans | BSNL recharge plans
