Ireland's Data Protection Commission (DPC) has imposed a fine of €251 million on Meta Platforms Ireland Limited for a significant data security breach that occurred in 2018.

The breach impacted approximately 29 million Facebook accounts globally, with around 3 million accounts based in the European Union and European Economic Area. The compromised personal data included users' full names, email addresses, phone numbers, location, workplace, date of birth, religion, gender, timeline posts, group memberships, and children's personal information.

The vulnerability originated from Facebook's 'View As' feature, which allows users to see their profile from another user's perspective. Cyber attackers exploited this by combining the video upload function with the 'Happy Birthday Composer' facility, generating fully permissioned user tokens that granted access to multiple user profiles.

Graham Doyle, deputy commissioner at the DPC, highlighted the serious implications of the breach. "This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms," he said.

The DPC's final decisions included multiple findings of infringement under the General Data Protection Regulation (GDPR). These included failures to provide comprehensive breach notifications, inadequate documentation of breach details, and insufficient data protection principles in system design.

The fine breakdown includes €8 million for incomplete breach notification, €3 million for documentation failures, €130 million for design-related data protection principle violations, and €110 million for processing unnecessary personal data.

Meta remedied the breach shortly after its discovery. The company has indicated it will appeal the decision, with a spokesperson stating, "We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission."

This latest fine adds to the substantial penalties Meta has faced from the Irish Data Protection Commission, which has now imposed nearly €3 billion in fines for GDPR breaches.

The DPC submitted its draft decision in September 2024 through the GDPR cooperation mechanism, with no objections raised by peer EU and EEA supervisory authorities.

The full decision and related information will be published by the DPC in due course.

---