Meta fined €265m by Irish watchdog for data breach
Facebook parent company Meta has been fined €265 million by the Irish Data Protection Commission (DPC) following a data breach which saw the personal details of hundreds of millions of Facebook users published online.
In April 2021, the DPC launched an investigation after data including names, phone numbers and email addresses of up to 533 million users appeared on an online hacking forum.
Facebook said at the time that the information, some of which had already appeared online a number of years ago, was "scraped", but not hacked, by malicious actors through a vulnerability in its tools prior to September 2019.
"Scraping" uses automated software to lift public information from the internet that can then end up being distributed in online forums.
The social network said it patched the vulnerability in 2019, preventing any further data from being harvested.
As part of its investigation, the Data Protection Commission carried out an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta during the period between 25 May 2018 and September 2019.
The material issues in the inquiry concerned questions of compliance with the General Data Protection Regulation (GDPR) obligation for Data Protection by Design and Default.
Meta was found to be in breach of Article 25 of the GDPR rules.
"Because this data set was so large, because there had been previous instances of scraping on the platform where the issues could have been identified in a more timely way, we ultimately imposed a significant sanction," said Helen Dixon, Data Protection Commissioner.
"The risks are considerable for individuals in terms of scamming, spamming, smishing, phishing and loss of control over their personal data so we imposed a fine of €265m in total," Ms Dixon said.
As well as the fine, Meta has been issued with a reprimand and an order requiring it to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.