December 17, 2024 By Bill Toulas
The Irish Data Protection Commission (DPC) fined Meta €251 million ($263.6M) over General Data Protection Regulation (GDPR) violations arising from a 2018 personal data breach impacting 29 million Facebook accounts.
The breach was caused by the exploitation of user access tokens by unauthorized parties, exposing sensitive user data such as names, email addresses, phone numbers, and physical locations, while it also impacted children.
Although Facebook took immediate corrective action upon discovering the bug in its "View As" feature, the incident still violated several GDPR articles.
Specifically, the Irish DPC says the following GDPR violations are related to the incident:
- Article 33(3): Incomplete breach notification details → €8M fine
- Article 33(5): Poor documentation of breach facts/remedies → €3M fine
- Article 25(1): Failure to embed data protection in system design → €130M fine
- Article 25(2): Failure to limit data processing to what's necessary → €110M fine
"This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals," commented Graham Doyle, the DPC's Deputy Commissioner.
