Meta fined €251 million for leaking data of 3 million Europeans

The Irish Data Protection Commission (DPC) fined Meta✴ for violating the EU General Data Protection Regulation (GDPR), which resulted in the leak of information from 3 million European users of the social network Facebook✴.

Image source: Antoine Schibler / unsplash.com

The fact of the violation dates back to 2018, but its cause dates back to 2017 – then Facebook✴ introduced a new video uploading mechanism, which included a “View as” function, which allowed the user to view their own page on the social network, which one it was. seen by another user. Due to a flaw in the architecture of this feature, it was combined with another feature called “Happy Birthday Composer” to generate a token that allowed access to another user’s profile.

During the period from September 14 to September 28, 2018, unauthorized persons, using scripts to exploit this Facebook vulnerability✴, logged in as account owners to 29 million social network accounts – of which 3 million were located in the EU or the European Economic Area, that is, in the area of ​​​​responsibility DPC. The attackers acquired various categories of personal data of Facebook users✴: full names, email addresses, phone numbers, information about location and place of work, dates of birth, religion, gender, publications in the news feed, groups in which they belonged, as well as personal children’s data.

DPC found two violations in the company’s actions: the owner of the social network did not disclose to the regulator all information about the incident, did not fully document the facts of the violation and the steps taken to eliminate the problem; In addition, the platform owner violated the principles of the GDPR by failing to provide adequate measures to protect the personal data of Europeans. For the first violation, a fine of €11 million was imposed, for the second – €240 million.

«This decision is related to an incident from 2018. We took immediate action to resolve the issue as soon as it was discovered and informed affected people as well as the Irish Data Protection Commission in advance. We have a wide range of industry-leading measures available to protect people on our platforms,” Meta✴ spokesperson Emily Westcott told TechCrunch. In September, the company was fined €91 million for storing “hundreds of millions” of user passwords in clear text on servers in 2019.