DPC fines Facebook owner €251m over breach

Written By EnterpRISE

The Irish Data Protection Commission (DPC) has fined Facebook owner Meta €251m after concluding an investigation into a 2018 data breach that exposed millions of user accounts.

The incident had seen hackers gain access to user information by exploiting bugs in the platform’s code that allowed them access what are known as user tokens. The data breach impacted approximately 29 million Facebook accounts globally, of which approximately three million were based in the EU/EEA. Data involved included users’ full name; email address; phone number; location; place of work; date of birth; religion; gender and children’s personal data.

The breach had been reported by Meta, which is headed by founder Mark Zuckerberg, in September 2018.

The decisions, which were made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, included a number of reprimands and an order to pay administrative fines totalling €251m.

The DPC submitted a draft decision to European peer agencies under the GDPR cooperation mechanism in September 2024, where no objections were raised.

The decisions comes not long after the DPC fined Meta €91m, in September this year, for storing passwords in plain text.

That case dates back to 2019, when Meta notified the Irish regulator that it had “inadvertently” stored certain passwords of social media users in plain text on its internal systems without cryptographic protection or encryption

The latest fine takes the total levied by the DPC against all companies to around €3.5bn, mostly in the last four years and overwhelmingly levied against big tech firms, which have large operations in Ireland and therefore fall under Irish jurisdiction under the EU’s so called ‘one-stop-shop’ rule.

Just a fraction of those fines have been collected however, with significant fines subject to appeal.

Commenting on the Meta fine issued this week DPC Deputy Commissioner Graham Doyle said it highlighted how failure to build in data protection requirements throughout the design and development cycle exposed individuals to very serious risks and harms.

Facebook data can be highly sensitive, he said.

“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”

Reporting on:independent.ie

EnterpRISE
Previous

RTÉ announces new agriculture and consumer affairs correspondent
Next

Nitrogen levels reduced in Ireland’s rivers in the first half of this year – EPA report