Meta (formerly Facebook) was fined €251 million ($263.5 million) on Tuesday by Ireland’s Data Protection Commission (DPC) for a 2018 security breach that compromised the personal data of 29 million users.
The breach involved cyber attackers exploiting a vulnerability in Facebook’s “View As” feature, exposing user details such as full names, contact information, locations, workplaces, birthdates, religions, genders, and even their children’s data. Approximately 3 million of the affected accounts were based in the EU and European Economic Area.
DPC Deputy Commissioner Graham Doyle highlighted the severity of the breach, stating that the vulnerabilities posed a “grave risk of misuse” of sensitive data. While Meta promptly addressed the breach and notified the DPC, the incident still resulted in significant regulatory action.
This fine adds to the nearly €3 billion in penalties imposed on Meta by the DPC under the EU’s General Data Protection Regulation (GDPR) since its implementation in 2018. Notably, Meta is appealing a €1.2 billion fine issued in 2023.
A Meta spokesperson stated that the company took immediate action to resolve the breach and plans to appeal the latest decision, emphasizing that Meta has extensive measures in place to protect user data across its platforms.
