Pierluigi Paganini December 18, 2024

Meta has been fined €251M ($263M) for a 2018 data breach affecting millions in the EU, marking another penalty for violating privacy laws.

The Irish Data Protection Commission (DPC) fined Meta €251 million ($263M) for a 2018 data breach impacting 29 million Facebook accounts.

“The Irish Data Protection Commission (DPC) has today announced its final decisions following two inquiries into Meta Platforms Ireland Limited (‘MPIL’). These own-volition inquiries were launched by the DPC following a personal data breach, which was reported by MPIL in September 2018.” reads the press release published by DPC.

“This data breach impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. The categories of personal data affected included: user’s full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member; and children’s personal data. “

In October 2018, Facebook announced that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

The hackers did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said.

Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of the users, it allows users to see how others see their profile.

Earlier this month Facebook revealed attackers chained three bugs to breach into the Facebook platform.

“We now know that fewer people were impacted than we originally thought,” said Facebook vice president of product management Guy Rosen in a conference call.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people.” Rosen added.

“In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles. That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations. Message content was not available to the attackers, with one exception. If a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers.”

The DPC fined Meta €251M for GDPR violations, citing insufficient breach notifications (€8M), poor breach documentation (€3M), design flaws (€130M), and default data protection failures (€110M).

Below are the findings of infringement of the GDPR reported by DPC:

Decision 1

• Article 33(3) GDPR – By not including in its breach notification all the information required by that provision that it could and should have included. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €8 million.
• Article 33(5) GDPR – By failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance. The DPC reprimanded MPIL for failures in regards to this provision and ordered it to pay administrative fines of €3 million.

Decision 2

• Article 25(1) GDPR – By failing to ensure that data protection principles were protected in the design of processing systems. The DPC found that MPIL had infringed this provision, reprimanded MPIL, and ordered it to pay administrative fines of €130 million.
• Article 25(2) – By failing in their obligations as controllers to ensure that, by default, only personal data that are necessary for specific purposes are processed. The DPC found that MPIL had infringed these provisions, reprimanded MPIL, and ordered it to pay administrative fines of €110 million.

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.” said DPC Deputy Commissioner Graham Doyle. “Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Meta)