Irish data protection commission fines Meta over 2021 data-scraping leak

Irish data protection commission (DPC) fined Meta for not protecting Facebook’s users’ data from scraping.

Meta has been fined €265 million ($275.5 million) by the Irish data protection commission (DPC) for the data leak suffered by Facebook in 2021 that exposed the data belonging to millions of Facebook users.

The Data Protection Commission is also imposing a range of corrective measures on Meta.

“The Data Protection Commission (DPC) has today announced the conclusion to an inquiry into Meta Platforms Ireland Limited (MPIL), data controller of the “Facebook” social media network, imposing a fine of €265 million and a range of corrective measures.” reads the DPC’s press release.

On April 3rd, 2021, a user leaked the phone numbers and personal data of 533 million Facebook users in a hacking forum for free online.

The availability of the data was first reported by Alon Gal, CTO of cyber intelligence firm Hudson Rock.

The data of Facebook users from 106 countries were available for free, with over 32 million records belonging to users from the US, 11 from the UK, and 6 million users from India. Leaked data included users’ phone numbers, Facebook IDs, full names, locations, birthdates, bios, and for some accounts the associated email addresses.

Immediately after the disclosures of the data leak the Irish DPC launched an investigation of potential GDPR violations by Meta. The data were amassed by threat actors by exploiting a vulnerability fixed in 2019 that allowed data scraping from the social network.

“The company, at the time known as Facebook, said the data had been gathered by what it said were malicious actors who misused a Facebook tool called “Contact Importer” to upload a large volume of phone numbers to see which ones matched the service’s users.” reported the WSJ. “On Monday, the company reiterated that it had removed the ability to use phone numbers to scrape its services in this way in 2019.”

Now DPC concluded the investigation and argued that Meta violated the GDPR for not implementing appropriate technical and organizational measures, and not adopting the necessary safeguards as required by the European Regulation.

“The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.” continues the press release.

Meta declared that it has made multiple changes to better safeguard users’ data since the incident took place. The Iris privacy regulator revealed it has several dozen more ongoing cases involving multiple tech giants.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)

[adrotate banner=”5″]

[adrotate banner=”13″]