The Data Protection Commission (DPC) of Ireland has imposed a substantial fine of €265 million (approximately $277 million) on Meta Platforms, the parent company of Facebook. This penalty stems from a significant breach involving the personal data of over 500 million users, exacerbating the scrutiny on U.S. tech companies regarding privacy compliance.
The investigation, which began on April 14, 2021, followed reports of a large data leak that exposed a “collated dataset” of Facebook users’ information, highlighting the vulnerability of user data that had been made available on the internet.
The breach involved sensitive personal details of 533 million users, including their phone numbers, dates of birth, locations, email addresses, gender, marital status, and the dates of account creation, all of which were accessible online.
Meta has admitted that the data in question was “old” and had been harvested by malicious actors using a technique known as “phone number enumeration.” This involved the exploitation of the “Contact Importer” tool on Facebook, which was designed to match uploaded phone numbers with user profiles.
Since the breach, Facebook has disabled the feature allowing phone numbers to be used for profile scraping, an effort to prevent such incidents moving forward. In addition to the financial penalty, the DPC has mandated that Meta’s Irish operations comply strictly with EU data protection regulations.
In response to the ongoing threat of unauthorized data scraping, Meta has introduced an expanded bug bounty program aimed at incentivizing comprehensive reporting of vulnerabilities related to scraping across its platforms.
This marks the fourth instance in which the Irish DPC has fined Meta and its subsidiaries, including Instagram and WhatsApp, underscoring sustained regulatory pressure. Notably, in September 2021, WhatsApp was fined €225 million for inadequate transparency regarding user data collection and sharing policies with Meta.
In March 2022, the DPC further fined Meta €17 million due to various security lapses that resulted in twelve separate data breach notifications, affecting approximately 30 million Facebook users over a short time frame.
Similarly, in September 2022, Instagram faced a fine of €405 million for mishandling the data of minors, particularly concerning the exposure of personal contact information from business accounts, violating the General Data Protection Regulation (GDPR).
For businesses concerned about data security, these developments highlight the importance of robust data governance and proactive measures to safeguard sensitive information against vulnerabilities associated with adversary tactics such as initial access and persistence, as outlined in the MITRE ATT&CK framework. Implementing effective security protocols can significantly mitigate potential risks and enhance compliance with regulatory requirements.
