Meta Platforms Fined €251 Million for 2018 Data Breach
Meta Platforms, the parent company overseeing Facebook, Instagram, WhatsApp, and Threads, has faced a significant financial penalty of €251 million (approximately $263 million) for a data breach that occurred in 2018. This breach affected millions of users, particularly within the European Union (EU) and European Economic Area (EEA), as the company continues to confront repercussions for failing to adhere to strict data privacy regulations.
The Irish Data Protection Commission (DPC) reported that the breach compromised around 29 million Facebook accounts worldwide, of which roughly 3 million were located in the EU and EEA. Initial assessments by Meta suggested a total of 50 million accounts were affected, indicating substantial discrepancies in the company’s reporting.
The incident, made public by Meta in September 2018, was precipitated by a bug introduced into Facebook’s systems in July of the same year. This vulnerability permitted threat actors to exploit the “View As” feature, which allows users to see how their profiles appeared to different users. By manipulating this feature, attackers were able to acquire access tokens, enabling them to infiltrate user accounts.
The breach resulted in the exposure of various types of personal data, including full names, email addresses, phone numbers, geographical locations, workplace information, birthdays, gender, and even posts and groups associated with user profiles. The DPC elaborated that by utilizing the “View As” function alongside the video uploader and the “Happy Birthday Composer,” attackers could generate a fully authorized user token, granting them extensive access to other users’ profiles and data.
Additionally, the DPC uncovered that attackers had leveraged scripts to exploit this vulnerability between September 14 and September 28, 2018, leading to the unauthorized access of millions of accounts. In response to this breach, Meta has since deactivated the feature that allowed such exploits.
The fine handed down to Meta covers four primary violations under the General Data Protection Regulation (GDPR): failing to comprehensively inform users about the breach, inadequately documenting breach-related facts, neglecting to integrate data protection by design, and breaching its obligations to process only the necessary personal data for specific purposes.
Graham Doyle, Deputy Commissioner of the DPC, emphasized that such enforcement actions underscore the critical importance of embedding data protection requirements within the design and development processes to mitigate risks that can expose individuals to significant harm and violations of their rights.
This latest penalty marks the second time the DPC has sanctioned Meta; in September 2024, the company was fined €91 million ($101.5 million) for a 2019 incident involving the improper storage of user passwords in plaintext. Concurrently, Meta has also initiated a payment program amounting to AU$50 million ($31.5 million) to resolve claims linked to the misuse of personal information for political profiling, stemming from the notorious Cambridge Analytica scandal.
The settlement program is aimed at individuals who held Facebook accounts between November 2013 and December 2015 and meets specific criteria concerning app interactions. It outlines a dual-tier compensation structure, addressing both generalized concerns and specific damages experienced by individuals due to the data breach.
Meta’s challenges continue to evolve within the regulatory landscape, demonstrating the ongoing scrutiny the company faces as it navigates the complex interplay of user data security, privacy regulations, and the monumental responsibility of protecting user information in the digital age.
In analyzing this incident within the MITRE ATT&CK framework, tactics such as initial access through the exploitation of vulnerabilities, credential access via data extraction methods, and potential lateral movement to access additional accounts may provide insight into the methods employed by the attackers during this breach. As organizations increasingly confront similar risks, the imperative for robust cybersecurity measures and compliance with evolving regulations remains essential.
