Meta fined $263M over 2018 security breach that affected ~3M EU Facebook users

Meta has been fined €251 million (around $263 million) in the European Union for a Facebook security breach that affected millions of users, which the company disclosed back in September 2018.

The penalty, issued on Tuesday by Ireland’s Data Protection Commission (DPC) enforcing the bloc’s General Data Protection Regulation (GDPR), is far from being the largest GDPR fine Meta has been hit with since the regime came into force over five years ago. Still, it is notable as it’s a substantial sanction for a single security incident.

The breach dates back to July 2017, when Facebook rolled out a video upload function that included a “View as” feature, which let the user see their own Facebook page as it would be seen by another user.

A bug in the design allowed malicious actors to invoke the uploader in conjunction with Facebook’s ‘Happy Birthday Composer’ feature to generate a user token that gave them full access to the Facebook profile of that user. They could then use the token to exploit the same combination of features on other accounts, gaining unauthorized access to multiple users’ profiles and data, per the DPC.

Between September 14 and September 28, 2018, the watchdog said unauthorised people used scripts to exploit this vulnerability to log in to approximately 29 million Facebook accounts globally, around 3 million of which were based in the EU/European Economic Area.

Personal data impacted by the breach included Facebook users’ full names, email addresses, phone numbers, location, places of work, dates of birth, religion, gender, posts on timelines, groups in which they were a member, and children’s personal data.

The broad sweep of impacted personal data is likely to have influenced the size of the fine.

Two enforcement decisions

On Tuesday, the Irish regulator issued its final decisions on two inquiries it had opened into the 2018 incident: One decision covers Meta’s breach notification, as the GDPR requires prompt and comprehensive reporting of major security incidents, while the other concerns rules on data protection by design and default.

In both cases, the DPC found Meta infringed the bloc’s GDPR.

The full sanction breaks down as follows:

Meta has been fined €11 million in relation to the first decision, with the DPC finding that the company’s breach notification did not include all the information it “could and should have”. It also notes the company did not fully document the facts of the breach and the steps taken to remedy the issue.

On top of that, Meta has been fined €240 million in relation to the second decision, in which the DPC confirmed the company violated GDPR principles of data protection by design, as it did not have appropriate measures in place to protect people’s data from unintended processing.

Commenting in a statement, DPC deputy commissioner Graham Doyle said: “This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals.

“Facebook profiles can, and often do, contain information about matters such as religious or political beliefs, sexual life or orientation, and similar matters that a user may wish to disclose only in particular circumstances. By allowing unauthorised exposure of profile information, the vulnerabilities behind this breach caused a grave risk of misuse of these types of data.”

Another notable element of the ruling under the DPC’s two commissioners, Dr. Des Hogan and Dale Sunderland — who took over from commissioner Helen Dixon earlier this year — is that no objections were raised to Ireland’s draft decision by peer authorities.

“The DPC is grateful for the cooperation and assistance of its peer EU/EEA supervisory authorities in this case,” the regulator wrote in a press release.

Critics of the DPC under Dixon accused the regulator of routinely under-enforcing the GDPR on Meta and other tech giants. Many of the regulator’s draft decisions on Big Tech at that time were disputed by its peers. A number of enforcements against Meta specifically entailed lengthy dispute proceedings — with some requiring binding decisions from the European Data Protection Board to conclude the process.

So it’s notable that this enforcement against Meta, which the DPC says was submitted as a draft decision to the GDPR cooperation mechanism in July 2024, has passed through unscathed.

Reached for a response to the penalty, Meta spokeswoman Emily Westcott emailed a statement in which the company wrote: “This decision relates to an incident from 2018. We took immediate action to fix the problem as soon as it was identified, and we proactively informed people impacted as well as the Irish Data Protection Commission. We have a wide range of industry-leading measures in place to protect people across our platforms.”

Back in September, the DPC issued another decision against Meta for a 2019 security breach. The company was fined €91 million for an incident in which “hundreds of millions” of users’ passwords had been stored in plaintext on its servers.