The European Union's data privacy watchdogs have imposed a substantial fine of 251 million euros on Meta, the parent company of Facebook, following an extensive investigation into a 2018 data breach that compromised millions of user accounts. The fine was issued by Ireland's Data Protection Commission (DPC), which is the lead regulator for Meta in the EU due to the company's European headquarters being located in Ireland. The investigation centered on a significant security vulnerability in Facebook’s platform, where hackers exploited bugs in the platform’s code to gain unauthorized access to user accounts, particularly by stealing access tokens.
Access tokens are critical pieces of information that allow users to stay logged into their accounts without needing to repeatedly enter passwords. By gaining control of these tokens, attackers could effectively hijack user accounts without their knowledge. The breach, which was initially reported as affecting 50 million user accounts, was later found to involve around 29 million users globally, including approximately 3 million in Europe. The hackers used a set of three distinct bugs in Facebook’s “View As” feature, which allowed users to see how their profiles appeared to other people. By exploiting this feature, attackers could retrieve access tokens from users’ accounts and then use those tokens to take control of their accounts.
The Irish Data Protection Commission concluded its investigation and determined that Meta had violated several provisions of the General Data Protection Regulation (GDPR), a strict set of rules designed to protect the personal data of European Union citizens. The DPC issued the fine after it found that Meta had failed to adequately protect the personal data of its users, and it imposed administrative penalties as a result of these breaches. In addition to the 251 million euros in fines, the DPC also issued a reprimand and called for the company to make changes in its security practices to ensure that such an incident would not happen again in the future.
Meta responded to the ruling by indicating that it would appeal the decision, asserting that the breach was first detected and addressed promptly in 2018. The company also emphasized that it had taken immediate action to fix the vulnerabilities once they were identified, and it proactively informed users who were impacted by the breach. The company also noted that it had alerted regulatory authorities such as the FBI and European regulators after discovering the security flaws.
Meta had initially reported that 50 million users had been affected by the breach when it was first disclosed to the public. However, after a detailed investigation, the Irish Data Protection Commission clarified that the actual number of affected users was around 29 million, with 3 million of those being based in Europe. Despite this revision of figures, the incident remains one of the largest data breaches in recent history, with serious implications for user privacy and the company’s reputation.
The attack unfolded over several months as the hackers exploited the vulnerabilities in the "View As" feature, a tool that allows Facebook users to see how their profiles look to others. By using this feature, the attackers were able to hijack access tokens from users who appeared in search results. The hack spread across the platform as the attackers were able to access additional accounts through their friends, giving them control over the personal data and activities of a significant number of users. This attack raised significant concerns about Facebook's ability to secure its users’ data and the extent to which its platform could be exploited by cybercriminals.
The European Union's regulatory actions, particularly under GDPR, have made it clear that data privacy violations will not go unpunished, and the fines against Meta reflect the EU’s commitment to enforcing these standards. The imposition of these penalties on Meta is a reminder to other tech companies of the serious consequences they face if they fail to protect users' data properly. The decision also comes as European regulators continue to scrutinize the practices of major tech companies, particularly in relation to data security, privacy protections, and the handling of personal information.
Meta’s appeal of the ruling will likely prolong the legal battle, but the case serves as a cautionary tale for other companies operating in Europe. As digital platforms continue to grow and gather more personal data, the enforcement of data protection regulations like GDPR is expected to remain a critical issue. It also signals the importance of transparency and accountability for companies in managing user data and protecting against cyber threats. In addition to the legal and financial consequences, the breach has damaged Meta’s reputation, particularly given the public backlash over data security in the wake of previous scandals such as the Cambridge Analytica scandal. For now, Meta faces the task of rebuilding trust with its users while navigating the legal and financial fallout from this major breach.
