Millionaire fine for Facebook data breach

The Data Protection Commission (DCP) of Ireland has fined Meta €265 million after a known data breach in April 2021 exposed the personal data of 533 million Facebook users. The regulator launched the investigation shortly after the news broke to determine whether the social network complied with the General Data Protection Regulation (RGPD). The sanction is a clear indication that he did not.

The leaked information was posted on an internet forum and included the full names, phone numbers, locations, date of birth, and in some cases the email address of millions of Meta users between 2018 and 2019. When Business Insider released the leak, Meta said that the attacker had obtained the information through a vulnerability that the company had patched in 2019. It also commented that the stolen data was the same that had come to light in a previous leak that was revealed by motherboard in January 2021.

As determined by the DCP, Meta violated article 5 of the GDPR, which deals with the principles related to the processing of personal data. “Since this data set was so large, there had already been precedents for scraping on the platform and that the problems could have been identified earlier, we ultimately imposed a significant fine,” says Helen Dixon, Ireland’s data protection commissioner. The scraping is a technique that allows attackers to access data by reading from a website.

This is not the first, and possibly not the last, a multimillion-dollar fine that Ireland has imposed on Meta for security failures or malpractices by any of its subsidiaries, which include Facebook, Instagram and WhatsApp. Today’s is the third penalty so far this year. The first was 17 million euros for not correctly protecting user data and the second rose to 405 million euros for not complying with article 5 of the GDPR. To these almost 750 million euros in fines, we must add a punishment of 225 million euros that WhatsApp received in 2021.