Meta Platforms Fined €251 Million by Ireland’s Data Protection Commission for Data Breach
In a significant ruling, Ireland’s Data Protection Commission (DPC) has imposed a fine of €251 million (approximately US$264 million) on Meta Platforms’ Irish subsidiary. This penalty stems from two investigations into a personal data breach that reportedly affected around 29 million users globally. The decision underscores the ongoing scrutiny of technology giants regarding compliance with data protection regulations, particularly in light of the General Data Protection Regulation (GDPR).
The breach was initially reported by Meta Platforms Ireland Limited (MPIL) in September 2018. According to the DPC’s findings, the compromised data included sensitive personal information such as full names, email addresses, phone numbers, and content from users’ posts across timelines and groups. Among those affected, roughly three million users were located within the European Union and European Economic Area. The DPC characterized the breach as a serious violation of users’ privacy rights and a failure to adhere to GDPR protocols.
Investigations revealed that unauthorized third parties had exploited user tokens on Facebook, allowing them to gain unwarranted access to personal data. Although MPIL and its parent company in the United States took measures to address the breach shortly after its detection, the DPC held them accountable for not properly documenting the facts surrounding the incident and the remedial actions undertaken. Furthermore, the DPC criticized Meta for not ensuring that, by default, only personal data necessary for specific purposes was processed.
In response to the ruling, a representative from Meta asserted that the company acted swiftly to remediate the issue upon discovery and communicated proactively with affected individuals and the DPC. They emphasized ongoing efforts to implement industry-leading security measures across their platforms to safeguard user data amidst an evolving threat landscape.
This ruling is not the first of its kind for Meta; just this past September, the DPC levied a €91 million fine on the platform due to concerns over password storage practices. Such repeated sanctions highlight the regulatory challenges that major tech companies face in maintaining compliance with stringent data protection laws.
From a cybersecurity perspective, this breach exemplifies potential vulnerabilities organizations may encounter. The tactics involved may align with various frameworks outlined in the MITRE ATT&CK Matrix. Initial access could have been achieved through social engineering or exploiting misconfigurations, while persistence may have been exhibited through the misuse of user tokens. Moreover, issues surrounding privilege escalation could arise if unauthorized access leads to further exploitation of users’ personal data.
As businesses increasingly rely on digital platforms, the implications of such breaches extend beyond financial penalties. They serve as critical reminders of the importance of robust cybersecurity measures and stringent adherence to data protection regulations. Employers and business owners must remain vigilant and proactive in safeguarding user data to mitigate risks associated with potential breaches and maintain compliance in an ever-evolving regulatory landscape.
