Ireland’s data protection authority has fined Meta €251 million for a massive leak that affected millions of Facebook users in Europe and around the world.
Hackers were able to get hold of names, dates of birth, location and contact details of an estimated 29 million Facebook users, including those of three million accounts based in the EU.
The breach happened back in 2018 and Meta Platforms Ireland Limited reported the breach itself to the Irish Data Protection Commission (DPC).
Hackers exploited a flaw in Facebook’s system for add-on apps to access personal data. It gave them access to users’ full name, gender, email address, phone number, location, place of work and date of birth. They were also able to see timeline posts and personal data of children.
The DPC says Facebook took action to close the loophole “shortly after its discovery”.
But the Commission concluded that Facebook had breached EU data protection law, GDPR, in a number of areas.
The most serious breach was a “failing to ensure that data protection principles were protected in the design of processing systems” and a failure to “ensure that, by default, only personal data that are necessary for specific purposes are processed”.
The DPC says the breach “caused a grave risk of misuse” of personal information including sexual orientation, religious and political beliefs.
Responding to the quarter of a billion Euro fine, a Meta spokesperson said: “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission.
We have a wide range of industry-leading measures in place to protect people across our platforms.”