NIXsolutions: Meta Fined for GDPR Breach Involving Data Leak

The Irish Data Protection Commission (DPC) has imposed a fine on Meta for breaching the EU’s General Data Protection Regulation (GDPR) due to a data leak that affected 3 million Facebook users in Europe.

The Breach and Its Origins

The data breach, which dates back to 2018, was caused by a vulnerability in Facebook’s system introduced in 2017. The issue stemmed from a new video upload feature, the “View as” tool, which allowed users to view their Facebook page as another user would see it. A bug in the system, combined with another feature called “Happy Birthday Composer,” created a vulnerability that allowed an attacker to generate a token granting access to another user’s profile.

NIXsolutions

Between 14 and 28 September 2018, unauthorized individuals exploited this vulnerability using scripts to log in to 29 million Facebook accounts, 3 million of which were located in the EU or European Economic Area (EEA), which fall under the DPC’s jurisdiction. The attackers accessed various categories of personal data, including full names, email addresses, phone numbers, location and employment details, dates of birth, religion, gender, news feed posts, and group memberships. They also gained access to the personal data of children.

DPC Findings and Meta’s Response

The DPC identified two key violations in Meta’s handling of the breach. The company failed to fully disclose the incident to the regulator and did not provide complete documentation of the violation or the corrective actions taken. NIXsolutions adds that Meta violated GDPR principles by failing to implement adequate measures to protect the personal data of European users.

As a result, the DPC imposed a fine of €11 million for the first violation and €240 million for the second. Meta has expressed regret over the breach and emphasized that the issue was addressed promptly once discovered. A spokesperson from Meta, Emily Westcott, told TechCrunch, “This decision relates to an incident from 2018. We took immediate action to fix the issue as soon as it was discovered and informed the people affected and the Irish Data Protection Commission in advance. We have a wide range of industry-leading measures in place to protect people on our platforms.”

In addition to this fine, Meta was fined €91 million in September for improperly storing hundreds of millions of user passwords in plaintext on its servers in 2019. We’ll keep you updated as more integrations become available to address such security issues.