Fining Meta of €251 Million for 2018 Data Breach: Impact, GDPR Violations, and Privacy Concerns

 Meta Platforms, the parent company behind popular social media platforms like Facebook, Instagram, WhatsApp, and Threads, has found itself facing another significant financial setback. The company has been hit with a hefty fine of €251 million (approximately $263 million) by the Irish Data Protection Commission (DPC) in relation to a data breach that took place in 2018. This breach, which affected millions of users, is one of several penalties the company has faced in recent years due to violations of stringent European privacy regulations.

The breach, which Meta disclosed back in September 2018, had a wide-reaching impact, with around 29 million Facebook accounts in the European Union (EU) and European Economic Area (EEA) affected. Although initial estimates suggested the breach affected 50 million accounts globally, the DPC’s investigation revealed that the breach was more limited, though still significant. The compromised accounts included sensitive personal information such as users’ names, email addresses, phone numbers, locations, workplaces, birthdates, religious affiliations, gender, and even posts shared on timelines and in groups. In some cases, the breach also exposed data related to children.

The incident can be traced back to a security flaw introduced in Facebook’s systems in 2017, which allowed malicious actors to exploit the “View As” feature. This feature, designed to allow users to see how their profile appeared to others, was manipulated in such a way that attackers could gain unauthorized access to account access tokens. These tokens essentially acted as keys, allowing the hackers to enter user accounts and view or steal personal information. Once access was gained to one account, the attackers were able to use the same exploit across multiple accounts, multiplying the breach’s effects. This loophole, which allowed attackers to bypass Facebook's security measures, remained active for a period of about two months, from September 14 to September 28, 2018.

The breach was not immediately detected, and it was only after Meta conducted an internal investigation that the company reported the issue to the relevant authorities. The security flaw, which had allowed hackers to exploit Facebook's "View As" feature, enabled the attackers to gather and exfiltrate sensitive data from millions of accounts, which then raised concerns about the safety of user data on the platform. Meta's efforts to secure its systems and remedy the situation included removing the vulnerable feature and bolstering its security infrastructure, but the harm had already been done.

The penalties levied by the DPC were based on multiple violations of the European Union's General Data Protection Regulation (GDPR). Specifically, the fine was issued for failing to notify the breach properly, not documenting the breach appropriately, and not embedding adequate data protection principles into the design of Facebook’s systems. In total, four GDPR provisions were cited as the basis for the fine:

1. Article 33(3): Meta failed to include all necessary information in its breach notification. This regulation requires companies to notify authorities promptly about data breaches, including detailed information about the nature of the breach, its likely consequences, and the steps taken to mitigate any potential damage.

2. Article 33(5): Meta did not adequately document the breach, including the facts surrounding it, the actions taken to address it, and the measures put in place to prevent future occurrences. The GDPR mandates that companies document breaches comprehensively so that supervisory authorities can verify compliance with data protection laws.

3. Article 25(1): Meta failed to ensure that the design of its processing systems incorporated data protection principles from the outset. This principle, known as "privacy by design," requires that organizations incorporate data protection features into their systems and processes as a preventive measure.

4. Article 25(2): Meta did not meet the requirements to process only necessary personal data for specific purposes. GDPR stipulates that only the minimum amount of personal data necessary for a specific purpose should be processed, which was not the case in this instance.

The Irish Data Protection Commission emphasized the severity of the breach, underscoring that the failure to design data protection features into the system and ensure compliance with GDPR could expose users to significant risks and harm. The breach compromised sensitive personal data, which could have been misused for various malicious purposes, including identity theft, fraud, or phishing attacks. In addition, the breach raised concerns about the vulnerability of online platforms and the potential for such attacks to escalate if adequate security measures were not in place.

This fine against Meta is not an isolated incident but rather part of a growing trend of financial penalties for companies failing to comply with stringent data protection regulations. The 2018 breach marks the second significant penalty for Meta related to security flaws and data privacy violations. In September 2024, the DPC also fined Meta €91 million ($101.5 million) for a separate security issue that involved the accidental storage of user passwords in plaintext, a violation that exposed users' data to potential misuse.

The cumulative effect of these fines is starting to add up, signaling a heightened scrutiny on Meta’s handling of user data and its efforts to comply with international privacy standards. The company’s efforts to reform its security measures in response to these fines will likely be closely watched by regulatory bodies and privacy advocates alike. The ongoing scrutiny could have broader implications for the tech industry as a whole, with more stringent regulatory frameworks expected to shape the future of data protection and cybersecurity.

Meta's data privacy troubles extend beyond the European Union. In addition to the GDPR penalties, the company also faces legal and regulatory action in other parts of the world. In one notable example, Meta has agreed to a AU$50 million ($31.5 million) settlement with the Office of the Australian Information Commissioner (OAIC). This settlement is related to the misuse of personal information for political profiling and targeted advertising in connection with the infamous 2018 Cambridge Analytica scandal.

The Australian settlement stems from an investigation into Meta's handling of user data in the wake of the Cambridge Analytica scandal, where personal information from millions of users was harvested without their consent and used to influence political campaigns. The settlement scheme, which is expected to begin accepting applications in the second quarter of 2025, offers payments to Australian users who were affected by the breach. The payment program is divided into two tiers: a base payment for those who experienced general concern or embarrassment due to the breach, and a specific payment for individuals who can demonstrate tangible harm or loss as a result of the exposure of their data.

In total, approximately 53 Australian Facebook users had installed the "This Is Your Digital Life" app, which was at the center of the Cambridge Analytica scandal. An additional 311,074 Australian users were potentially affected as their personal data could have been accessed through their connections with those who installed the app. This settlement is seen as a significant step in resolving the privacy concerns surrounding the scandal and provides a means for affected users to seek redress.

Meta's ongoing legal battles and settlement agreements reflect the growing importance of data privacy in the digital age. As more and more personal information is shared and stored online, the need for robust cybersecurity measures and transparent data handling practices has never been more critical. Companies like Meta, which handle vast amounts of user data, are under increasing pressure to demonstrate their commitment to safeguarding user privacy and ensuring compliance with global data protection laws.

The European Union’s GDPR and other regional privacy regulations have been instrumental in holding companies accountable for data breaches and failures to protect user information. These laws are designed not only to punish companies for negligence but also to encourage better practices in data processing and security. For Meta, these fines and settlements are a stark reminder that failing to adhere to these regulations comes with significant financial and reputational costs. The company now faces the challenge of rebuilding trust with its users and ensuring that future breaches do not occur.

As Meta continues to navigate these challenges, it is clear that the company must prioritize data security and user privacy in its operations. The lessons from the 2018 breach and subsequent penalties will likely shape the company’s approach to data protection moving forward. It remains to be seen whether these efforts will be sufficient to restore public confidence in Meta’s ability to safeguard its users’ personal information or if further regulatory scrutiny will continue to target the tech giant in the years to come.

In conclusion, Meta’s €251 million fine from the Irish Data Protection Commission represents another significant chapter in the ongoing saga of data privacy violations involving major tech companies. With the increasing importance of safeguarding user data and adhering to regulatory frameworks like the GDPR, Meta’s challenges are likely to persist. However, the company's ability to learn from these mistakes and implement stronger security measures will be key to its long-term success in navigating the evolving landscape of global data protection laws. The broader tech industry will undoubtedly be watching closely, as the consequences of these high-profile cases will shape the future of online data privacy and security for years to come.