© 2025 CoolTechZone - Latest tech news,
product reviews, and analyses.

Irish DPA fines Meta for €251M for security breach


The Irish Data Protection Commission (DPC) has announced that Meta has to pay a fine of €251 million for a data breach that happened in July 2017.

Facebook then introduced a video upload function to its platform called ‘View As’. This feature allowed a user to see his own Facebook page as it would be seen by other users.

However, due to a bug in its design, malicious actors could invoke the uploader in conjunction with Facebook’s ‘Happy Birthday Composer’ feature to generate a user token that gave them full access to the Facebook profile of that user. A user could then use that token to exploit the same combination of features on other accounts, allowing them to access multiple users’ profiles and the data accessible through them.

According to the Irish data protection authority (DPA), unauthorized persons used scripts to exploit this vulnerability to log in to approximately 29 million Facebook accounts between September 14 and September 28, 2018. Around 3 million accounts were based in the EU.

Because of the vulnerability, bad actors were able to get a hold of full names, dates of birth, email addresses, phone numbers, location data, places of work, gender, religion, posts on timelines, groups of which a user was a member, and children’s personal data.

Soon after the incident Facebook removed the functionality that caused the vulnerability.

Mark Zuckerberg’s company however is now being fined after an investigation by the DPC revealed that Meta violated European privacy laws when the leak occurred.

According to the Irish regulator, Facebook didn’t include all the information that was required in its data breach notification. In addition, the company failed to document all the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allowed the DPC to verify compliance. For these violations Facebook’s parent company Meta is fined €11 million.

Furthermore, Facebook failed to properly protect the user data in its design of processing systems (security by design), and failed in its obligation to ensure that only personal data that was needed for specific purposes was processed (privacy by default). For these violations Meta received a €130 million and a €110 million fine respectively.

“This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals,” says DPC Deputy Commissioner Graham Doyle in a statement.


Leave a Reply

Your email address will not be published. Required fields are marked