Source URL: https://www.theregister.com/2024/12/17/ireland_fines_meta_for_2018/
Source: The Register
Title: Ireland fines Meta for 2018 ‘View As’ breach that exposed 30M accounts
Feedly Summary: €251 million? Zuck can find that in his couch cushions, but Meta still vows to appeal
It’s been six years since miscreants abused some sloppy Facebook code to steal access tokens belonging to 30 million users, and the slow-turning wheels of Irish justice have finally caught up with a €251 million ($264 million) fine for the social media biz. …
AI Summary and Description: Yes
**Summary:** The text details a significant fine imposed on Meta by the Irish Data Protection Commission for a 2018 data breach impacting 30 million users. The breach was a result of vulnerabilities in Facebook’s code, leading to unauthorized exposure of personal identifiable information (PII). The enforcement action underscores the importance of incorporating data protection measures during the design and development processes to prevent such risks.
**Detailed Description:**
The Irish Data Protection Commission (DPC) has concluded two investigations into a major data breach at Meta, resulting in a €251 million ($264 million) fine. This incident, which occurred in 2018, exposed access tokens for 30 million users due to multiple vulnerabilities in Facebook’s code. Key points include:
– **Breach Overview:**
– The breach allowed unauthorized access to PII, initially believed to involve 90 million users but adjusted to 30 million.
– Approximately three million affected users reside in the EU.
– **Types of Exposed Data:**
– PII compromised included:
– Full names
– Email addresses
– Phone numbers
– Birth date
– Religious affiliation
– Gender
– User posts and groups
– Notably, the data of children was also exposed.
– **GDPR Violations:**
– The DPC identified four violations of the EU’s General Data Protection Regulation (GDPR):
– **Article 33:** Breach notification failures regarding completeness and documentation.
– **Article 25:** Lack of compliance with data protection by default principles, failing to protect data principles in system design.
– **Meta’s Response:**
– Meta plans to appeal the decision and stated that it took immediate action to rectify the vulnerabilities once identified, claiming robust security measures are in place, including multifactor authentication and login alerts.
– **Context of Previous Fines:**
– This incident is not isolated; Meta has faced multiple fines by the DPC throughout 2022 and 2023 for various GDPR violations, emphasizing ongoing compliance issues.
– The latest fine, while substantial, represents a small fraction of Meta’s quarterly profits, raising questions about the effectiveness of regulatory financial penalties.
This case highlights critical lessons for professionals involved in information security and compliance, emphasizing the necessity for stringent data protection measures during the software development lifecycle and the ongoing challenge of maintaining user data safety in large-scale platforms.